Good Afternoon Ivan; Thank you for your reply. I have looked into passwd, however it appears that this only works for accounts within the local machine. I am authenticating accounts held within a remote Kerberos realm, thus the accounts are not local to the machine. I have loaded the passwd module in the module sections as seen below. Module Section passwd noc_group { filename = /etc/raddb/group format = "~Group-Name:*,User-Name" hashsize = 50 ignorenislike = yes allowmultiplekeys = yes delimiter = ":" } Authorize secitoin #Testing Config to use custom Group File noc_group /etc/group file, one group defined, two testing users. NOC:ez073973,jttester Users file. For first round testing I would like to reject. Once I have this all squared away I will begin more detaile dconfig. DEFAULT Group-Name = "NOC", Auth-Type = Reject Reply-Message = "FAIL", Fall-Through = no DEFAULT Auth-Type = krb5 Fall-Through = 1 DEFAULT Auth-Type = System When an account that is local to the machine tries to authenticate it fails accordingly thus it appears the machine is still using the internal user/group mechanism, not the custom file. (notice how I am not using the default group file, I am using something separate to ensure that things remain... separate). Accounts not local to the machine authenticates and is given an access accept, unfortunatley it should fail them. Thank you -----Original Message----- From: freeradius-users-bounces+lfross=ucdavis.edu@lists.freeradius.org [mailto:freeradius-users-bounces+lfross=ucdavis.edu@lists.freeradius.org] On Behalf Of tnt@kalik.net Sent: Friday, March 27, 2009 2:50 AM To: FreeRadius users mailing list Subject: Re: User Authorization question
I am looking at different ways to authorize users using local resources. I would like to create various Text files (like foundry.acl, juniper.acl etc etc) with a list of kerberos principles contained within (each principle separated by new line). When a user attempts to authenticate from a given IP range the radius engine will authorize the user against the appropriate acl file, if the user is contained within the acl file then they are allowed and certain vendor specific attrs are sent back with the acess accept. Basically I would like to create "groups" to authorize access to different devices accross the network, LDAP is not an option and moving forward with a SQL db seems a bit over kill.
See passwd module. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html