On Wed, 2004-05-05 at 07:22, Alan DeKok wrote: > John Duino <[EMAIL PROTECTED]> wrote: > > Users authenticate fine, but I am not getting any group information back > > to the Aventail. tcpdump confirms no info being passed. The group info > > is primarily in NIS, but I have even tried putting some in the local > > /etc/group for testing without success. > > There are no standard RADIUS attributes to send group information in > a RADIUS packet.
I do not know if it is "standard" (eg, RFC defined) but it is possible. See discussion below. > > As of recently in the CVS snapshots, there is a "dictionary.unix" > file, with Unix group related attributes. However... if the NAS > documentation doesn't say it understands those attributes, then it > won't use them. The NAS understands the "Attribute value pairs" information, in this case either Class(25) or FilterId(11) labeling, with the returned value being the group name(s). See discussion below. > > > I'm using Unix authentication (system uses NIS) and I'm attempting > > to access this from an Aventail EX1500. > > Uh, no. The Aventail is authenticating via RADIUS. FreeRADIUS can > be configured to do authentication against /etc/passwd, but the > Aventail NAS doesn't know that this is happening. Merely a grammatical slip. I know the Aventail is using Radius. FreeRadius is using the system's Unix-based authentication, which in this case is NIS-based. > > > I do not totally (obviously) grasp the intricacies of the radiusd.conf > > file, multiple authentication schemes, etc. > > It has nothing to do with "radiusd.conf". > > Why are you trying to send Unix group information to the NAS? Why does it not have to do with radiusd.conf? The section I posted previously labeled "passwd etc_group", and is directly FROM the default radiusd.conf, is described as doing exactly what I expect/hope. The radius server, upon positive authentication, should also then parse the group directory (/etc/group, in this case, including its NIS extension) and return in the Authenticator additional information labeled as "Attribute value pairs" that would, in this case, be the groups the user belongs to. I am trying to get this for it allows me to use 'predefined' groupings of people (in this case, people within certain unix-based groups) as another criteria in my ACLs on the Aventail. -- John Duino <[EMAIL PROTECTED]> National Engineering Technology - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
