How to check if a user exists in Radius Server and get attributes.

[hanbeytoktas]

Hello,

In my Spring Boot application, I'm using a radius authenticator. When I authenticate with the RadiusClient by sending the username and password, I map the users and their roles based on the attributes received. However, I have another service where I periodically sync users. Here, I only want to connect using the radius client and retrieve the attributes of a user by providing just the username, in order to update the user with this information. However, the RadiusClient has both authenticate and account calls. I use the "authenticate" call in the login part. In the part where I sync users, there is no password information, so I need to retrieve the user's information from a radius using only the username. How can I do this?

This is my login mechanism

RadiusSetting radiusSetting=settingsDto.getRadiusSetting();
			NetworkAccessServer radiusClient=new NetworkAccessServer(new RadiusServer(radiusSetting.getServerIp(),radiusSetting.getSecret(),10000));
RadiusPacket response = radiusClient.authenticate(authentication.getName(),authentication.getCredentials().toString());
if(response==null){
logger.warn("User {}, calling radius does not return any value.", username);
throw BaseException.builder().error(BaseError.RADIUS_CONNECTION_ERROR);
}
if (response.getPacketType() == RadiusPacket.ACCESS_ACCEPT) {
logger.info("User {} successfully authenticated using radius", username);
UserDetails userDetails= this.userDetailsService.loadUserByUsername(username);
UsernamePasswordAuthenticationToken authNew =
		new UsernamePasswordAuthenticationToken(
				userDetails,
				authentication.getCredentials(),
				userDetails.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(authNew);
return authNew;
} else {
logger.warn("User {}, returned response {}", username, response);
throw BaseException.builder().error(BaseError.RADIUS_CONNECTION_ERROR,"User "+username+", returned response "+response.toString());
			}

[gribnut]

If I understand correctly, you're looking for the RADIUS server to respond with the same type of response/attributes as the ACCESS ACCEPT with difference being that you do not have the user's password. This ability is a function of the RADIUS server (not the RADIUS client).
I think you just need to configure your RADIUS server to send ACCESS ACCEPT for queries from your SpringBoot client. I.e. - if RADIUS server sees request from your SpringBoot client without password (or a shared secret in lieu of user's password), the server will send normal ACCESS ACCEPT response. Ideally, this would still require one or more other attributes in request (e.g. add an attribute in request with a shared secret value) or limit such behavior to your SpringBoot client to remain secure. You don't mention which RADIUS server you are using, but if using a RADIUS server other than TinyRadius, configuration of the RADIUS server is really out of scope for this particular repo.