I also see a need to pass VSA's in the Access-Accept to something like a web server.
Is there a way to define internal variables "USER_GROUP" for a VSA like the $USER_NAME variable. I could then pass it to a shell script to user for group authentication. Thanks, Ron. -----Original Message----- From: Josh Howlett [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 12:55 AM To: [EMAIL PROTECTED] Subject: Re: Can RADIUS attributes pass through to Apache? On Mon, 2003-03-24 at 17:06, Alan DeKok wrote: > "Mark Lavi" <[EMAIL PROTECTED]> wrote: > > However, it is common to have different "groups" in an authenticated > > population. Say, for instance, a department of an organization. Once you > > know that attribute (if it exists) for a person, you can say restict > > access to different resources on the web server. > > I agree. At the time the module was written, there were no RADIUS > standards for defining groups. The other module you pointed to > implements groups by re-defining existing RADIUS attributes, which is > *very* bad. I am quite interested in this concept of passing WWW-flavoured attributes to a WWW application via RADIUS. Alan has already pointed out that the need to prevent (i) re-defining existing attributes and (ii) not implementing site-specific attributes. Might I suggest a general mechanism for implementing this, whereby arbitrary and application-specific variable/value pairs are passed to the WWW application within a 'generic' wrapper A/V? The auth server concatenates the variables within single wrapper A/V in the Access-Accept, which mod_auth_radius unwraps and passes the contained variables to Apache. This approach only requires defining a single new A/V. The contents of the A/V would be site-specific (user-group, favourite colour, etc). regards, josh. -- ----------------------------------------------------------- Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] ------------------------------------------------------------ --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
