Strategy for grouping users for authentication

Alex French alex at evilal.com
Fri Jan 2 18:24:01 CET 2009


Hi,

We are using Freeradius 1.1.7 to authenticate a large group of users
for one service, with a pgsql backend. I would now like to start using
our radius servers to also authenticate other groups of users for
specific services, e.g. admin users who can access an apache frontend
etc using PAM.

My question is, what's the best way to classify and group the users to
ensure that group X can access one service but group Y can access
another, etc?

My first thought is to use an attribute like the NAS-Id to identify
the service and require certain user groups for each Nas id in the
clients file. However, this does not allow any more granularity than
the machine making the request -- for example, login, POP and httpd
may all be on the same server but have different groups that should be
able to access them.

Can anyone point me in the right direction?

Thanks,

Alex



More information about the Freeradius-Users mailing list