Group Authorization Question
Mike Diggins
mike.diggins at mcmaster.ca
Fri Jan 2 22:20:51 CET 2009
On Fri, 2 Jan 2009, Alok Vimawala wrote:
>
> Hi Mike,
>
> Are you trying to have the radius server send an access-reject when the user
> is not in the group?
> Or are you trying to send a list of groups to the VPN device?
I couldn't figure out how to have the client (in this case a cisco ASA5500
VPN) send the group profile id or name along with the request, so I ended
up doing it the other way, where the Radius server sends back a list of
authorized groups, and my appliance makes the decision on authorization. I
don't know if that's the best way or not.
-Mike
>
> On Jan 1, 2009, at 3:21 PM, Alan DeKok wrote:
>
>> Mike Diggins wrote:
>>> On a related note, should the rlm_dbm_parse program be able to convert
>>> the users file (assuming it is the correct syntax) directly? It
>>> complains about the ntlm_auth type.
>>
>> I wouldn't suggest using rlm_dbm. It's not really maintained, and
>> it's not necessary.
>>
>> As of 2.x, the server puts the "users" file entries into a hash when
>> it loads the file. I've tested 100K users being loaded in a second or
>> two on a reasonable machine. On top of that, 2.x supports HUP better
>> than 1.x.
>>
>> So... rlm_dbm is almost never necessary any more.
>>
>> If you have less than 10K entries in the "users" file, I would suggest
>> that rlm_dbm is not for you. If you have more than 10K users, I would
>> suggest using an SQL database.
>>
>> Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>
-Mike
More information about the Freeradius-Users
mailing list