Strategy for grouping users for authentication
Alan DeKok
aland at deployingradius.com
Sat Jan 3 20:37:36 CET 2009
Alex French wrote:
> We are using Freeradius 1.1.7 to authenticate a large group of users
Ugh. We really suggest upgrading.
> for one service, with a pgsql backend. I would now like to start using
> our radius servers to also authenticate other groups of users for
> specific services, e.g. admin users who can access an apache frontend
> etc using PAM.
>
> My question is, what's the best way to classify and group the users to
> ensure that group X can access one service but group Y can access
> another, etc?
Groups. 2.x has example configurations that create groups local to
the RADIUS server.
> My first thought is to use an attribute like the NAS-Id to identify
> the service and require certain user groups for each Nas id in the
> clients file. However, this does not allow any more granularity than
> the machine making the request -- for example, login, POP and httpd
> may all be on the same server but have different groups that should be
> able to access them.
Is there anything in the RADIUS request that allows you to distinguish
the different services? If not, having any level of granularity is
impossible.
Alan DeKok.
More information about the Freeradius-Users
mailing list