Grouping after Kerberos 5 authentication accepted?
Hello, Is it possible for FreeRadius to perform grouping after Kerberos authentication accepted? My company has many switches and servers and we use kerberos 5 for RADIUS authentication. Once the user is authenticated, RADIUS will check and decide if this user can access the switches or particular servers (i.e. Allow telnet to the switch if the user belongs to the 'switch administrator' group). I've looked in the huntgroup file but it seems to require a lot of works for a very large company (5000+ users), and the problem is we can't touch the Kerberos server. Any help would be appreciated. Thank you Regards, Jason
what is the kerberos server, MIT, Heimdal or M$$ AD? On 4/18/07, Jason Chan <jchan2@utm.utoronto.ca> wrote:
Hello,
Is it possible for FreeRadius to perform grouping after Kerberos authentication accepted?
My company has many switches and servers and we use kerberos 5 for RADIUS authentication. Once the user is authenticated, RADIUS will check and decide if this user can access the switches or particular servers (i.e. Allow telnet to the switch if the user belongs to the 'switch administrator' group).
I've looked in the huntgroup file but it seems to require a lot of works for a very large company (5000+ users), and the problem is we can't touch the Kerberos server.
Any help would be appreciated. Thank you
Regards, Jason
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jason Chan wrote:
Is it possible for FreeRadius to perform grouping after Kerberos authentication accepted?
You can configure things in the post-authentication phase.
My company has many switches and servers and we use kerberos 5 for RADIUS authentication. Once the user is authenticated, RADIUS will check and decide if this user can access the switches or particular servers (i.e. Allow telnet to the switch if the user belongs to the 'switch administrator' group).
Authentication is independent of grouping. Where are the user groups coming from? They're not in Kerberos. See the FAQ for an example of performing some action based on a Unix group. See "man rlm_passwd" for configuring groups that exist only on the RADIUS server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
I have been following your thread and am interrested to find out how do d you get freeradius to do authentication wiht kerberos? any config examples would be helpfull. On 4/18/07, Jason Chan <jchan2@utm.utoronto.ca> wrote:
Hello,
Is it possible for FreeRadius to perform grouping after Kerberos authentication accepted?
My company has many switches and servers and we use kerberos 5 for RADIUS authentication. Once the user is authenticated, RADIUS will check and decide if this user can access the switches or particular servers (i.e. Allow telnet to the switch if the user belongs to the 'switch administrator' group).
I've looked in the huntgroup file but it seems to require a lot of works for a very large company (5000+ users), and the problem is we can't touch the Kerberos server.
Any help would be appreciated. Thank you
Regards, Jason
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'm using Redhat Enterprise Linux and here is my steps to setup FreeRadius 1) Make SURE you have installed MIT Kerberos on your linux (krb5 packages) 2) Configure Realm, KDC servers, etc... for your linux (system-config-authentication for redhat) 3) Install FreeRadius 4) Make SURE you have rlm_krb5 modules in /usr/local/lib 5) Open and edit /usr/local/etc/raddb/radiusd.conf: Add the following in modules {...} (around line 580) # Kerbero 5 module krb5 { authtype = Kerberos } And the following in authenticate {...} (around line 1920) Auth-Type Kerberos { krb5 } Add the following in users file DEFAULT Auth-Type := Kerberos It should work. If radiusd complains about Pre-Auth failed then double check your Linux Kerberos setting -----Original Message----- From: Donny Jekels [mailto:djekels@gmail.com] Sent: Thursday, April 19, 2007 3:20 PM To: jchan2@utm.utoronto.ca; FreeRadius users mailing list Subject: Re: Grouping after Kerberos 5 authentication accepted? I have been following your thread and am interrested to find out how do d you get freeradius to do authentication wiht kerberos? any config examples would be helpfull. On 4/18/07, Jason Chan <jchan2@utm.utoronto.ca> wrote: Hello, Is it possible for FreeRadius to perform grouping after Kerberos authentication accepted? My company has many switches and servers and we use kerberos 5 for RADIUS authentication. Once the user is authenticated, RADIUS will check and decide if this user can access the switches or particular servers (i.e. Allow telnet to the switch if the user belongs to the 'switch administrator' group). I've looked in the huntgroup file but it seems to require a lot of works for a very large company (5000+ users), and the problem is we can't touch the Kerberos server. Any help would be appreciated. Thank you Regards, Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Donny Jekels -
Jason Chan