group based authentication

Peter Nixon listuser at peternixon.net
Sat Sep 23 13:14:55 CEST 2006


On Sat 23 Sep 2006 13:41, srg krn wrote:
> Hello:
>
> We want to design an AAA system with the following requisites:
>
> COMPONENTS THAT WE HAVE:
> A) NAS(es)
> B) freeradius frontend
> C) authenticators
>
> WHAT WE CAN DO IS:
> 1. The NAS send a radius "access-request" to the radius frontend.
> In the packet there is a username (in username at group) syntax and a
> password. 2. The frontend MUST decide the authentication method and the
> authenticator machine based ONLY in the group (string AFTER the @).
> 3. The frontend sends user and password (note that NOT user at group) to
> the authenticator machine (maybe another radius, ldap, mysql, ...).
> 4. Then authenticator machine answer's to the frontend only with "OK"
> or "NOT OK".
> 5. If "OK" from step(4), then the freeradius answer's the NAS with
> "access granted" and some attributes extracted from the "group" (ip
> pool, netmask, default gw, ... _AND_ THE GROUP THAT IS AFTER THE @).
>
> NOTE THAT:
> - The unique function of the authenticators is saying "OK" if the
> username and passwd are correct or "NOT OK" if not.
> - NO USERS are defined in the radius frontend (only GROUPS with their
> respective attributes).
>
> Is there any "intelligent" way of acomplishing this design with freeradius?

Yes.
Did you read the documentation?

Start at:
http://wiki.freeradius.org/Proxy

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060923/f77e913c/attachment.pgp>


More information about the Freeradius-Users mailing list