Strategy for grouping users for authentication

Alan DeKok aland at deployingradius.com
Sat Jan 3 20:37:36 CET 2009


Alex French wrote:
> We are using Freeradius 1.1.7 to authenticate a large group of users

  Ugh.  We really suggest upgrading.

> for one service, with a pgsql backend. I would now like to start using
> our radius servers to also authenticate other groups of users for
> specific services, e.g. admin users who can access an apache frontend
> etc using PAM.
> 
> My question is, what's the best way to classify and group the users to
> ensure that group X can access one service but group Y can access
> another, etc?

  Groups.  2.x has example configurations that create groups local to
the RADIUS server.

> My first thought is to use an attribute like the NAS-Id to identify
> the service and require certain user groups for each Nas id in the
> clients file. However, this does not allow any more granularity than
> the machine making the request -- for example, login, POP and httpd
> may all be on the same server but have different groups that should be
> able to access them.

  Is there anything in the RADIUS request that allows you to distinguish
the different services?  If not, having any level of granularity is
impossible.

  Alan DeKok.



More information about the Freeradius-Users mailing list