User Authorization question

Larry Ross lfross at ucdavis.edu
Mon Mar 30 18:53:09 CEST 2009


Good Afternoon Ivan;
Thank you for your reply.  I have looked into passwd, however it appears that this only works for accounts within the local machine.  I am authenticating accounts held within a remote Kerberos realm, thus the accounts are not local to the machine.  I have loaded the passwd module in the module sections as seen below.

Module Section
passwd noc_group {
		filename = /etc/raddb/group
		format = "~Group-Name:*,User-Name"
		hashsize = 50
		ignorenislike = yes
		allowmultiplekeys = yes
		delimiter = ":"
	}

Authorize secitoin

	#Testing Config to use custom Group File
	noc_group

/etc/group file, one group defined, two testing users.
NOC:ez073973,jttester


Users file.  For first round testing I would like to reject.  Once I have this all squared away I will begin more detaile dconfig.

DEFAULT Group-Name = "NOC", Auth-Type = Reject
	Reply-Message = "FAIL",
	Fall-Through = no

DEFAULT Auth-Type = krb5
	Fall-Through = 1

DEFAULT	Auth-Type = System

When an account that is local to the machine tries to authenticate it fails accordingly thus it appears the machine is still using the internal user/group mechanism, not the custom file. (notice how I am not using the default group file, I am using something separate to ensure that things remain... separate).  Accounts not local to the machine authenticates and is given an access accept, unfortunatley it should fail them.

Thank you



-----Original Message-----
From: freeradius-users-bounces+lfross=ucdavis.edu at lists.freeradius.org [mailto:freeradius-users-bounces+lfross=ucdavis.edu at lists.freeradius.org] On Behalf Of tnt at kalik.net
Sent: Friday, March 27, 2009 2:50 AM
To: FreeRadius users mailing list
Subject: Re: User Authorization question

>I am looking at different ways to authorize users using local resources.  I would like to create various Text files (like foundry.acl, juniper.acl etc etc) with a list of kerberos principles contained within (each principle separated by new line).
>When a user attempts to authenticate from a given IP range the radius engine will authorize the user against the appropriate acl file, if the user is contained within the acl file then they are allowed and certain vendor specific attrs are sent back with the acess accept.
>Basically I would like to create "groups" to authorize access to different devices accross the network, LDAP is not an option and moving forward with a SQL db seems a bit over kill.
>

See passwd module.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list