Jason Chan wrote: > Is it possible for FreeRadius to perform grouping after Kerberos > authentication accepted?
You can configure things in the post-authentication phase. > My company has many switches and servers and we use kerberos 5 for > RADIUS authentication. Once the user is authenticated, RADIUS will check > and decide if this user can access the switches or particular servers > (i.e. Allow telnet to the switch if the user belongs to the 'switch > administrator' group). Authentication is independent of grouping. Where are the user groups coming from? They're not in Kerberos. See the FAQ for an example of performing some action based on a Unix group. See "man rlm_passwd" for configuring groups that exist only on the RADIUS server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
