group based authentication

srg krn srgqwerty at gmail.com
Sat Sep 23 12:41:57 CEST 2006


Hello:

We want to design an AAA system with the following requisites:

COMPONENTS THAT WE HAVE:
A) NAS(es)
B) freeradius frontend
C) authenticators

WHAT WE CAN DO IS:
1. The NAS send a radius "access-request" to the radius frontend.
In the packet there is a username (in username at group) syntax and a password.
2. The frontend MUST decide the authentication method and the
authenticator machine based ONLY in the group (string AFTER the @).
3. The frontend sends user and password (note that NOT user at group) to
the authenticator machine (maybe another radius, ldap, mysql, ...).
4. Then authenticator machine answer's to the frontend only with "OK"
or "NOT OK".
5. If "OK" from step(4), then the freeradius answer's the NAS with
"access granted" and some attributes extracted from the "group" (ip
pool, netmask, default gw, ... _AND_ THE GROUP THAT IS AFTER THE @).

NOTE THAT:
- The unique function of the authenticators is saying "OK" if the
username and passwd are correct or "NOT OK" if not.
- NO USERS are defined in the radius frontend (only GROUPS with their
respective attributes).

Is there any "intelligent" way of acomplishing this design with freeradius?

Thanks in advance and best regards



More information about the Freeradius-Users mailing list