Jason Chan wrote:
Is it possible for FreeRadius to perform grouping after Kerberos authentication accepted?
You can configure things in the post-authentication phase.
My company has many switches and servers and we use kerberos 5 for RADIUS authentication. Once the user is authenticated, RADIUS will check and decide if this user can access the switches or particular servers (i.e. Allow telnet to the switch if the user belongs to the 'switch administrator' group).
Authentication is independent of grouping. Where are the user groups coming from? They're not in Kerberos. See the FAQ for an example of performing some action based on a Unix group. See "man rlm_passwd" for configuring groups that exist only on the RADIUS server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog