Grouping after Kerberos 5 authentication accepted?

Alan DeKok aland at deployingradius.com
Thu Apr 19 10:19:43 CEST 2007


Jason Chan wrote:
> Is it possible for FreeRadius to perform grouping after Kerberos
> authentication accepted?

  You can configure things in the post-authentication phase.

> My company has many switches and servers and we use kerberos 5 for
> RADIUS authentication. Once the user is authenticated, RADIUS will check
> and decide if this user can access the switches or particular servers
> (i.e. Allow telnet to the switch if the user belongs to the 'switch
> administrator' group).

  Authentication is independent of grouping.

  Where are the user groups coming from?  They're not in Kerberos.

  See the FAQ for an example of performing some action based on a Unix
group.  See "man rlm_passwd" for configuring groups that exist only on
the RADIUS server.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog



More information about the Freeradius-Users mailing list