Hello, I am new to Radius and Free Radius, so forgave me if this question has been asked or it is crazy. We are in process of change all our authentication and authorization. At the moment every "service" has it's own user-id/password database. Thus authentication/authorization per service is simple. want to deny access to a given user, disable his/her password or that service. As you can imagine this has a big overhead and users have to remember many user-id/password per. Can we use Radius/LDAP to do this. What I was hope we can do is as follow: everyone will get one user-id/password But for every service we will create a boolean attribute. All services, dialup/wireless/vpn/etc will use one radius server for both Auth(authenticate/authorize). The question is can FreeRadius(or any radius) be configured to as the LDAP for the correct service attribute and give access both base on the user-id/password and what the value of the services? Thank you all for your help.
So just set Auth-Type for the user to Reject. We do this for suspended (non paying users) until they pay up. No changing password this way. Brent _____ From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Behzad Barzideh Sent: Wednesday, August 17, 2005 4:47 PM To: freeradius-users@lists.freeradius.org Subject: General Question.. Hello, I am new to Radius and Free Radius, so forgave me if this question has been asked or it is crazy. We are in process of change all our authentication and authorization. At the moment every "service" has it's own user-id/password database. Thus authentication/authorization per service is simple. want to deny access to a given user, disable his/her password or that service. As you can imagine this has a big overhead and users have to remember many user-id/password per. Can we use Radius/LDAP to do this. What I was hope we can do is as follow: everyone will get one user-id/password But for every service we will create a boolean attribute. All services, dialup/wireless/vpn/etc will use one radius server for both Auth(authenticate/authorize). The question is can FreeRadius(or any radius) be configured to as the LDAP for the correct service attribute and give access both base on the user-id/password and what the value of the services? Thank you all for your help.
FreeRadius users mailing list <freeradius-users@lists.freeradius.org> on August 17, 2005 at 15:47 -0800 wrote:
Can we use Radius/LDAP to do this. What I was hope we can do is as follow: everyone will get one user-id/password But for every service we will create a boolean attribute. All services, dialup/wireless/vpn/etc will use one radius server for both Auth(authenticate/authorize). The question is can FreeRadius(or any radius) be configured to as the LDAP for the correct service attribute and give access both base on the user-id/password and what the value of the services?
Sort of. The best bet is to use the LDAP "posixgroup" objectclass -- then you can force certain radius clients to require a specific group membership. Let me know when you get closer to implementation and I can help you with some config files. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George)
participants (3)
-
Behzad Barzideh -
Brent -
Kris Benson