Group Authorization Question
Mike Diggins
mike.diggins at McMaster.CA
Thu Jan 1 18:12:55 CET 2009
On Wed, 31 Dec 2008, tnt at kalik.net wrote:
> Post the debug of the request. Is that profile appearing in some request
> attribute?
I made a little progress since my last email. I discovered how to return a
group name in the Reply-Message attribute, and then parse that on my
appliance. I'm wondering though, if I have users with multiple group
membership, should I create a string of group names such as
"group1,group2, group3" for each user, and return that as the
Reply-Message? Is that a sensible way to do it, or is there a better way?
-Mike
> Dana 31/12/2008, "Mike Diggins" <mike.diggins at mcmaster.ca> pi¹e:
>
>>
>> I have authentication working from my cisco ASA550 VPN appliance to a
>> FreeRadius 2.1.1 server, using NTLM_AUTH for backend authentication. That
>> all works. Now I need to add authorization into the mix.
>>
>> 1. On the Radius server, I want to add a group X with a list of
>> authorized usernames.
>> 2. On the VPN side, the user selects a profile, and logs in, but I
>> only want members of group X to be able to connect to that
>> profile, even if the authentication is correct.
>>
>> I have no idea how to make the connection between the group profile I
>> select on the VPN side, with the group X on the radius side. I'm not even
>> sure how (or where) to create such a group with freeRadius. Can anyone
>> point me in the right direction?
>>
>> -Mike
>> -
More information about the Freeradius-Users
mailing list