Using Groups to Limit Authentication to Network Devices
Doug Warner
doug at warner.fm
Sat Mar 27 12:56:09 CET 2010
On 03/27/2010 01:46 AM, Peter Lambrechtsen wrote:
> On Sat, Mar 27, 2010 at 3:00 AM, Doug Warner <doug at warner.fm
> <mailto:doug at warner.fm>> wrote:
>
> I'm trying to setup freeradius to authenticate users via LDAP but
> pull group
> information via MySQL. I currently only need radius for
> authentication to
> network devices (switches, PDUs, etc) but want to make sure I set it
> up so
> that I don't shoot myself in the foot later.
>
> In trying to get the correct attributes assigned to a group I've
> noticed that
> I need to set Fall-Through on each group that a user belongs to in
> order to
> have later groups evaluated. Is there a better way that I can say
> something
> like, "this client should check for access from these groups" so
> that I only
> need to set Fall-Through on certain groups instead of all?
>
>
> Why not just use LDAP all together for your group based auth. This is
> how I do it and it works well, and doesn't need any schema extensions.
>
> http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg00001.html
>
> Then all you have to do is modify the hostgroups & postauth_users file
> when you add new NAS's.
I don't have control over the LDAP server at all so I can't change what groups
people are in.
I think I've managed to get things working by setting up a huntgroup with the
SQL-Group set to check that the user is in a specific group. I then have the
users file set up to assign the appropriate attributes to the huntgroup.
-Doug
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100327/72bca6a3/attachment.pgp>
More information about the Freeradius-Users
mailing list