Jason Chan wrote:
> Is it possible for FreeRadius to perform grouping after Kerberos
> authentication accepted?
You can configure things in the post-authentication phase.
> My company has many switches and servers and we use kerberos 5 for
> RADIUS authentication. Once the user is authenticated, RADIUS will check
> and decide if this user can access the switches or particular servers
> (i.e. Allow telnet to the switch if the user belongs to the 'switch
> administrator' group).
Authentication is independent of grouping.
Where are the user groups coming from? They're not in Kerberos.
See the FAQ for an example of performing some action based on a Unix
group. See "man rlm_passwd" for configuring groups that exist only on
the RADIUS server.
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html