Hi all, Its me again with the same question :-). I want to know whether freeRadius can authorize users based on a group or OU attribute. When I posted this question earlier, I was told that not is not possible. I am using the radiusprofileDn attribute to authorize users. however, this approach has its drawbacks.
1. Since authorization is based on an user attribute, all users have to have the radiusprofile object class, which increases overhead in direct proportion to the number of users. 2. It is not possible to grant or deny a particular service to a group of users to reflect changing requirements. The changes have to be made for every user, giving scope for errors and security holes. 3. It is not possible to know exactly how many users can access a particular service. Like, if it was based on group or OU membership, a look at the dial-up group/OU will tell me just how many people can dial into the network. I can also find out who can dialup by looking at the group membership. But it the current implementation, I have to check the attributes of each user to collect the necessary info. Has anybody done an implementation with authorisation based on group membership ? If so, please help. Regards, Michael Fuller - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
