Grouping after Kerberos 5 authentication accepted?
Alan DeKok
aland at deployingradius.com
Thu Apr 19 10:19:43 CEST 2007
Jason Chan wrote:
> Is it possible for FreeRadius to perform grouping after Kerberos
> authentication accepted?
You can configure things in the post-authentication phase.
> My company has many switches and servers and we use kerberos 5 for
> RADIUS authentication. Once the user is authenticated, RADIUS will check
> and decide if this user can access the switches or particular servers
> (i.e. Allow telnet to the switch if the user belongs to the 'switch
> administrator' group).
Authentication is independent of grouping.
Where are the user groups coming from? They're not in Kerberos.
See the FAQ for an example of performing some action based on a Unix
group. See "man rlm_passwd" for configuring groups that exist only on
the RADIUS server.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list