group based authentication
- To: freeradius-users@lists.freeradius.org
- Subject: group based authentication
- From: "srg krn" <srgqwerty@gmail.com>
- Date: Sat, 23 Sep 2006 12:41:57 +0200
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=OIcw/ze/QyjuDvRKfcf8wT7DLFTUIdrTJeqZFrP4etW0FiEgIL2q9peRziLlAWa/2BWfIhWc5u2wly9+CkmkX1ag5JLGMgZT8MM/Meg9Sqhu5UGl2xNifono1/hMMgTiTndqMwl21WLsNPAodTDkvpm85v8JhoxkOXLy3Awy7s0=
- Reply-to: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Hello:
We want to design an AAA system with the following requisites:
COMPONENTS THAT WE HAVE:
A) NAS(es)
B) freeradius frontend
C) authenticators
WHAT WE CAN DO IS:
1. The NAS send a radius "access-request" to the radius frontend.
In the packet there is a username (in username@group) syntax and a password.
2. The frontend MUST decide the authentication method and the
authenticator machine based ONLY in the group (string AFTER the @).
3. The frontend sends user and password (note that NOT user@group) to
the authenticator machine (maybe another radius, ldap, mysql, ...).
4. Then authenticator machine answer's to the frontend only with "OK"
or "NOT OK".
5. If "OK" from step(4), then the freeradius answer's the NAS with
"access granted" and some attributes extracted from the "group" (ip
pool, netmask, default gw, ... _AND_ THE GROUP THAT IS AFTER THE @).
NOTE THAT:
- The unique function of the authenticators is saying "OK" if the
username and passwd are correct or "NOT OK" if not.
- NO USERS are defined in the radius frontend (only GROUPS with their
respective attributes).
Is there any "intelligent" way of acomplishing this design with freeradius?
Thanks in advance and best regards
This archive was generated by a fusion of
Pipermail (Mailman edition) and
MHonArc.