<div class="gmail_quote">On Sat, Mar 27, 2010 at 3:00 AM, Doug Warner <span dir="ltr"><<a href="mailto:doug@warner.fm">doug@warner.fm</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I'm trying to setup freeradius to authenticate users via LDAP but pull group<br>
information via MySQL. I currently only need radius for authentication to<br>
network devices (switches, PDUs, etc) but want to make sure I set it up so<br>
that I don't shoot myself in the foot later.<br>
<br>
In trying to get the correct attributes assigned to a group I've noticed that<br>
I need to set Fall-Through on each group that a user belongs to in order to<br>
have later groups evaluated. Is there a better way that I can say something<br>
like, "this client should check for access from these groups" so that I only<br>
need to set Fall-Through on certain groups instead of all?<br></blockquote><div><br>Why not just use LDAP all together for your group based auth. This is how I do it and it works well, and doesn't need any schema extensions.<br>
<br><a href="http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg00001.html">http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg00001.html</a><br><br>Then all you have to do is modify the hostgroups & postauth_users file when you add new NAS's.<br>
</div></div>