On 08/21/2009 11:33 AM, Gary Gatten wrote:
Hello, so for the BASIC question! First, is there any docs that explain
the concepts of how all the various pieces of FR tie together? I’ve read
a bunch of stuff and am making some headway, but some of the
architecture and process flow still escapes me. If I can gain a better
understanding of the internals I could probably resolve most of my own
questions and better contribute to the community as well!
Now, the question:
We have various environments that need to authenticate and authorize
using FR: VPN connections with something like (if member of “VPNGroup”
then permit, else deny); vty login to network gear with (if member of
“NetEngGroup” then permit, else deny); and 802.1x with dynamic VLAN
assignment. I plan to use ntlm_auth for all of these to hit AD on the
backend.
The problem I’m having is grasping how I can do this? Do I need separate
instances of FR? A bunch of “if then/else” clauses somewhere? How does
FR know what type of auth is required? Am I making this more complicated
than it really is?
You'll want to assign users into a group. You have a lot of flexibility
on how you do that. Probably the easiest way to manage things is using a
SQL backend. You can declare groups and assign users to them in the SQL
tables. Or you can dynamically decide a user is in a particular group
based on a variety of factors and insert the group name into the request
(use unlang for this) so the group test can see it. Or you can put
someone in a group based on how they're connecting (e.g. from specific
NAS's), these are called huntgroups. There is a HowTo on the wiki
explaining how to do this with SQL.
You do not need separate instances of FR.
FR knows what type of auth to perform based on what the client sends and
how you've set up the authentication section of the config. Basically
each authentication module in priority order is given a chance to look
at the request. If the module thinks it has enough information to
process the request it does so.
--
John Dennis <[email protected]>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
