Strategy for grouping users for authentication

Luciano Afranllie listas.luafran at gmail.com
Fri Jan 2 20:04:55 CET 2009


On Fri, Jan 2, 2009 at 3:24 PM, Alex French <alex at evilal.com> wrote:
> Hi,
>
> We are using Freeradius 1.1.7 to authenticate a large group of users
> for one service, with a pgsql backend. I would now like to start using
> our radius servers to also authenticate other groups of users for
> specific services, e.g. admin users who can access an apache frontend
> etc using PAM.
>
> My question is, what's the best way to classify and group the users to
> ensure that group X can access one service but group Y can access
> another, etc?
>
> My first thought is to use an attribute like the NAS-Id to identify
> the service and require certain user groups for each Nas id in the
> clients file. However, this does not allow any more granularity than
> the machine making the request -- for example, login, POP and httpd
> may all be on the same server but have different groups that should be
> able to access them.
>
> Can anyone point me in the right direction?
>

Will your NASes be able to send a unique value for each service in
some attribute?
If yes, you can use customs values for Service-Type for example.

Another ugly approach would be append some suffix to user name that
can be used in the server as a hint for the service being requested,
something like john_login, john_httpd.

These are just ideas, I am far from being a RADIUS expert.

Regards
Luciano



More information about the Freeradius-Users mailing list