Any way to implement privileges-granting as I configure in 'users'

luckydog xf luckydogxf at gmail.com
Mon Nov 20 02:40:56 CET 2017 

Hi,

   Could you give more hints about using One-Time-Password by LDAP? Thanks,

   And here comes the part of my guess, which is the comment of
site-enabled/default
=============
#  Authentication.
#
#
#  This section lists which modules are available for authentication.
#  Note that it does NOT mean 'try each module in order'.  It means
#  that a module from the 'authorize' section adds a configuration
#  attribute 'Auth-Type := FOO'.  That authentication type is then
#  used to pick the appropriate module from the list below.
#

#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
#  will figure it out on its own, and will do the right thing.  The
#  most common side effect of erroneously setting the Auth-Type
#  attribute is that one authentication method will work, but the
#  others will not.
#
#  The common reasons to set the Auth-Type attribute by hand
#  is to either forcibly reject the user (Auth-Type := Reject),
#  or to or forcibly accept the user (Auth-Type := Accept).
#
#  Note that Auth-Type := Accept will NOT work with EAP.
#
#  Please do not put "unlang" configurations into the "authenticate"
#  section.  Put them in the "post-auth" section instead.  That's what
#  the post-auth section is for.
#
authenticate {
....
========

On Fri, Nov 17, 2017 at 9:51 PM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Nov 17, 2017, at 4:15 AM, luckydog xf <luckydogxf at gmail.com> wrote:
> >    Currently I'm using 'users file to authorize users against login on
> our
> > network device like Switches.
> > ...
> > But I want to intergrate it with FreeIPA( which provides a LDAP service),
> > which brings the benefit of using one-time-password(see this
> > https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_
> as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7
> > )
>
>   Sure... one-time passwords don't always work, though.  Specifically,
> with EAP / WiFi.
>
> > Apparently it's easy to configure user's account, but is there any way to
> > handle the privileges related stuff like 'Huawei-Exec-Privilege = "3",'
> in
> > LDAP?
>
>   Yes.
>
> > And by the way, how is 'authenticate section' in 'site-enabled/default'
> > called? I'm a littble bit confused. Can I say that 'authenticate section
> is
> > useless
>
>   Uh... no.  It's there for a reason.  If you read the comments in the
> configuration file, they will tell you what it does, and why it's used.
>
> > and
> >
> > would NEVER be called  unless I add "Auth-Type:= FOO" in the 'authorize
> > section' ?  I guess this from the comment of 'default' .
>
>   You "guess"?  What part of the documentation requires guessing?
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>

More information about the Freeradius-Users mailing list