On Fri, 2 Jan 2009, Alok Vimawala wrote:
Hi Mike,
Are you trying to have the radius server send an access-reject when the user is not in the group? Or are you trying to send a list of groups to the VPN device?
I couldn't figure out how to have the client (in this case a cisco ASA5500 VPN) send the group profile id or name along with the request, so I ended up doing it the other way, where the Radius server sends back a list of authorized groups, and my appliance makes the decision on authorization. I don't know if that's the best way or not. -Mike
On Jan 1, 2009, at 3:21 PM, Alan DeKok wrote:
Mike Diggins wrote:
On a related note, should the rlm_dbm_parse program be able to convert the users file (assuming it is the correct syntax) directly? It complains about the ntlm_auth type.
I wouldn't suggest using rlm_dbm. It's not really maintained, and it's not necessary.
As of 2.x, the server puts the "users" file entries into a hash when it loads the file. I've tested 100K users being loaded in a second or two on a reasonable machine. On top of that, 2.x supports HUP better than 1.x.
So... rlm_dbm is almost never necessary any more.
If you have less than 10K entries in the "users" file, I would suggest that rlm_dbm is not for you. If you have more than 10K users, I would suggest using an SQL database.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-Mike