On Mon, Jun 22, 2015 at 1:52 PM, Alan DeKok <aland@deployingradius.com> wrote:
RADIUS doesn't do UID, GID, home directory, etc. So it's probably not the correct choice for logging into Linux servers.
I can take care of that with either Spacewalk, or other scripted methods. I was mainly looking for a centralized user "database", focusing on AAA. I've seen comparisons to OpenLDAP and other directory services, but I'm just not needing the level of Identity Management that LDAP-based services provide. My main focus is just (security) authorization.
The default configuration of the server is to authenticate users. Which means all known users are allowed in.
Is there any sort of common "trick" to deny users by default? Or, am I just looking at this wrong....which I'm beginning to think I am. If the user does not need access, but needs to be created in the Freeradius database, then I should probably either 1.) reevaluate the real reason they "need" to be created or 2.) explicitly deny/disable that user, leaving all the other admins alone with default access. I'm leaning towards option 2, so that I can just re-enable the vendor when they need to do work, and then disable (or set some sort of timed based authentication) when they are done.
You have to set up explicit lists of who's allowed to log in where. Put the data into an SQL table, and write a SELECT statement. Then, put that SELECT statement into the FreeRADIUS configuration.
And just to be clear. I should configure all of that with the /etc/raddb/sites-enabled/default file right after the authorize -> sql section. Meaning, I should place all my sql if/else statements in that section. Right? Thank you so much for your help and guidance.