Jason Chan wrote:
> Is it possible for FreeRadius to perform grouping after Kerberos
> authentication accepted?

  You can configure things in the post-authentication phase.

> My company has many switches and servers and we use kerberos 5 for
> RADIUS authentication. Once the user is authenticated, RADIUS will check
> and decide if this user can access the switches or particular servers
> (i.e. Allow telnet to the switch if the user belongs to the 'switch
> administrator' group).

  Authentication is independent of grouping.

  Where are the user groups coming from?  They're not in Kerberos.

  See the FAQ for an example of performing some action based on a Unix
group.  See "man rlm_passwd" for configuring groups that exist only on
the RADIUS server.

  Alan DeKok.
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to