Grouping after Kerberos 5 authentication accepted?

Jason Chan jchan2 at
Thu Apr 19 20:55:21 CEST 2007

Thank you Alan. I read the documentations and now I'm able to use
Kerberos and MySQL along with FreeRadius. Thank you for your help.

However, I'm stuck in the last part of the project which is to reply the
accept request along with assigned attributes. 

For example, Kerberos successfully authenticate admin/admin (yes I don't
use MySQL for authentication), and FreeRadius knows this user has
permission to access. Now, in the postauth part, FreeRadius searches the
radreply table in its MySQL database for the proper attributes that this
particular user has, say Service-Type = Administrative-User. I store
these attribute information in radreply table and leave other tables

So, I edited the postauth_query in sql.conf:

	postauth_query = "SELECT id, UserName, Attribute, Value, op \
          FROM ${authreply_table} \
          WHERE Username = '%{SQL-User-Name}' \
          ORDER BY id"

I can't get the 'Service-Type = Administrative-User' in the accept-reply
package. Am I missing something here?

Any help would be appreciated.


-----Original Message-----
From: Alan DeKok [mailto:aland at] 
Sent: Thursday, April 19, 2007 10:27 AM
To: jchan2 at
Subject: Re: Grouping after Kerberos 5 authentication accepted?

Jason Chan wrote:
> You are correct, the grouping isn't come from Kerberos. I'm going to
> build a mysql database in the FreeRadius server to handle all the 
> grouping/permissions. What fields do I need for the database? I 
> searched on the FreeRadius website and I can't find any information 
> related to SQL

  See the "doc" directory.  There are schemas and examples.

  Alan DeKok.
--       - The web site of the book - The blog

No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 269.5.4/768 - Release Date: 4/19/2007
5:32 AM

More information about the Freeradius-Users mailing list