RE: User Authorization question

[Larry Ross]

Good Afternoon Ivan;
Thank you for your reply.  I have looked into passwd, however it appears that 
this only works for accounts within the local machine.  I am authenticating 
accounts held within a remote Kerberos realm, thus the accounts are not local 
to the machine.  I have loaded the passwd module in the module sections as seen 
below.

Module Section
passwd noc_group {
                filename = /etc/raddb/group
                format = "~Group-Name:*,User-Name"
                hashsize = 50
                ignorenislike = yes
                allowmultiplekeys = yes
                delimiter = ":"
        }

Authorize secitoin

        #Testing Config to use custom Group File
        noc_group

/etc/group file, one group defined, two testing users.
NOC:ez073973,jttester


Users file.  For first round testing I would like to reject.  Once I have this 
all squared away I will begin more detaile dconfig.

DEFAULT Group-Name = "NOC", Auth-Type = Reject
        Reply-Message = "FAIL",
        Fall-Through = no

DEFAULT Auth-Type = krb5
        Fall-Through = 1

DEFAULT Auth-Type = System

When an account that is local to the machine tries to authenticate it fails 
accordingly thus it appears the machine is still using the internal user/group 
mechanism, not the custom file. (notice how I am not using the default group 
file, I am using something separate to ensure that things remain... separate).  
Accounts not local to the machine authenticates and is given an access accept, 
unfortunatley it should fail them.

Thank you



-----Original Message-----
From: freeradius-users-bounces+lfross=ucdavis....@lists.freeradius.org 
[mailto:freeradius-users-bounces+lfross=ucdavis....@lists.freeradius.org] On 
Behalf Of t...@kalik.net
Sent: Friday, March 27, 2009 2:50 AM
To: FreeRadius users mailing list
Subject: Re: User Authorization question

>I am looking at different ways to authorize users using local resources.  I 
>would like to create various Text files (like foundry.acl, juniper.acl etc 
>etc) with a list of kerberos principles contained within (each principle 
>separated by new line).
>When a user attempts to authenticate from a given IP range the radius engine 
>will authorize the user against the appropriate acl file, if the user is 
>contained within the acl file then they are allowed and certain vendor 
>specific attrs are sent back with the acess accept.
>Basically I would like to create "groups" to authorize access to different 
>devices accross the network, LDAP is not an option and moving forward with a 
>SQL db seems a bit over kill.
>

See passwd module.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html