Freeradius and Role based access control
Alan DeKok
aland at deployingradius.com
Thu Nov 2 17:10:42 CET 2017
On Nov 2, 2017, at 11:46 AM, Tony Pedley <tpedley at gmail.com> wrote:
> IEC 62351 specifies that access permission to a device is based on the
> authentication of the user and also the role(s) associated with that user.
What "role" is associated with the user?
i.e. What is inside of a *RADIUS* packet, that tells you what the users "role" is?
> To allow us to use RADIUS to authenticate an access request, we would the
> radius server to authenticate both the user name password, but also whether
> the the user has the rights to the role requested. Their does not seem to
> be any obvious attribute to pass requested role information to a freeradius
> server,
That's the issue.
And no, it's not a FreeRADIUS issue. It's a NAS issue.
> so what is generally the merthod to implement Role Based access
> control via Radius?
Does the NAS send the role in a RADIUS attribute?
a) yes - you can do role-based enforcement
b) no, you can't do role-based enforcement.
And what NAS are you using? What larger use-case is going on?
Knowing some more details might help.
Alan DeKok.
More information about the Freeradius-Users
mailing list