I am currently using freeradius to authenticate users to the routers on our network. Depending on the user's role, he/she will be authorized at different privilege levels within the router. These privilege levels are assigned by attribute-pair values in freeradius (i.e. cisco-avpair = "shell:priv-lvl=3"). For administrative users and script users I am using system authentication. For lower-level users, I would like to authenticate them via Active Directory, while still authorizing them via freeradius.
I initially set this up using realms and proxying the request to an IAS server on our AD domain controller, but I was not able to find any way to assign attribute values to users within the realm. The only other way I can think of to authenticate users off of AD while authorizing them via freeradius is to use PAM authentication with the pam_radius_auth module. I am fairly new to freeradius, so if anybody has any ideas or knows of another way to authenticate my users via AD, I would be most grateful. Currently, when I try to authenticate a user using the PAM RADIUS module, it hangs my freeradius server at: pam_pass: using pamauth string <radiusd> for pam.conf lookup After this it will not authenticate any other users, no matter what type of authentication they are using. Also, the PAM module never even attempts to contact my AD server. Ken Mix > -----Original Message----- > From: Alan DeKok [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 23, 2003 8:52 AM > To: [EMAIL PROTECTED] > Subject: Re: RADIUS PAM Module with RH9. > > > "Kenneth Mix" <[EMAIL PROTECTED]> wrote: > > I am using the freeradius server to authenticate users into > our routers > > for managment purposes. When the users are authenticated, > freeradius > > authorized them at a certain privilege level. > > So why do you need PAM? > > Are you going to describe what you're doing and why, or are you > going to parcel out dribs & drabs of information, so that no one can > possibly help you? > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
