On Fri, Jan 2, 2009 at 3:24 PM, Alex French <alex@evilal.com> wrote:
Hi,
We are using Freeradius 1.1.7 to authenticate a large group of users for one service, with a pgsql backend. I would now like to start using our radius servers to also authenticate other groups of users for specific services, e.g. admin users who can access an apache frontend etc using PAM.
My question is, what's the best way to classify and group the users to ensure that group X can access one service but group Y can access another, etc?
My first thought is to use an attribute like the NAS-Id to identify the service and require certain user groups for each Nas id in the clients file. However, this does not allow any more granularity than the machine making the request -- for example, login, POP and httpd may all be on the same server but have different groups that should be able to access them.
Can anyone point me in the right direction?
Will your NASes be able to send a unique value for each service in some attribute? If yes, you can use customs values for Service-Type for example. Another ugly approach would be append some suffix to user name that can be used in the server as a hint for the service being requested, something like john_login, john_httpd. These are just ideas, I am far from being a RADIUS expert. Regards Luciano