Alex French wrote: > We are using Freeradius 1.1.7 to authenticate a large group of users
Ugh. We really suggest upgrading. > for one service, with a pgsql backend. I would now like to start using > our radius servers to also authenticate other groups of users for > specific services, e.g. admin users who can access an apache frontend > etc using PAM. > > My question is, what's the best way to classify and group the users to > ensure that group X can access one service but group Y can access > another, etc? Groups. 2.x has example configurations that create groups local to the RADIUS server. > My first thought is to use an attribute like the NAS-Id to identify > the service and require certain user groups for each Nas id in the > clients file. However, this does not allow any more granularity than > the machine making the request -- for example, login, POP and httpd > may all be on the same server but have different groups that should be > able to access them. Is there anything in the RADIUS request that allows you to distinguish the different services? If not, having any level of granularity is impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
