On Fri, Jan 2, 2009 at 3:24 PM, Alex French <[email protected]> wrote: > Hi, > > We are using Freeradius 1.1.7 to authenticate a large group of users > for one service, with a pgsql backend. I would now like to start using > our radius servers to also authenticate other groups of users for > specific services, e.g. admin users who can access an apache frontend > etc using PAM. > > My question is, what's the best way to classify and group the users to > ensure that group X can access one service but group Y can access > another, etc? > > My first thought is to use an attribute like the NAS-Id to identify > the service and require certain user groups for each Nas id in the > clients file. However, this does not allow any more granularity than > the machine making the request -- for example, login, POP and httpd > may all be on the same server but have different groups that should be > able to access them. > > Can anyone point me in the right direction? >
Will your NASes be able to send a unique value for each service in some attribute? If yes, you can use customs values for Service-Type for example. Another ugly approach would be append some suffix to user name that can be used in the server as a hint for the service being requested, something like john_login, john_httpd. These are just ideas, I am far from being a RADIUS expert. Regards Luciano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
