General Question..

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

General Question..

Behzad Barzideh
Hello, I am new to Radius and Free Radius, so forgave me if this question
has been asked or it is crazy.

We are in process of change all our authentication and authorization.
At the moment every "service" has it's own user-id/password database. Thus
authentication/authorization per service is simple. want to deny access to a
given user, disable his/her password or that service.
As you can imagine this has a big overhead and users have to remember many
user-id/password per.

Can we use Radius/LDAP to do this.
What I was hope we can do is as follow:
everyone will get one user-id/password But for every service we will create
a boolean attribute. All services, dialup/wireless/vpn/etc will use one
radius server for both Auth(authenticate/authorize).
The question is can FreeRadius(or any radius) be configured to as the LDAP
for the correct service attribute and give access both base on the
user-id/password and what the value of the services?

Thank you all for your help.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: General Question..

Brent-14

So just set Auth-Type for the user to Reject.  We do this for suspended (non paying users) until they pay up.  No changing password this way.

 

Brent

 


From: [hidden email] [mailto:[hidden email]] On Behalf Of Behzad Barzideh
Sent: Wednesday, August 17, 2005 4:47 PM
To: [hidden email]
Subject: General Question..

 

Hello, I am new to Radius and Free Radius, so forgave me if this question
has been asked or it is crazy.

We are in process of change all our authentication and authorization.
At the moment every "service" has it's own user-id/password database. Thus
authentication/authorization per service is simple. want to deny access to a
given user, disable his/her password or that service.
As you can imagine this has a big overhead and users have to remember many
user-id/password per.

Can we use Radius/LDAP to do this.
What I was hope we can do is as follow:
everyone will get one user-id/password But for every service we will create
a boolean attribute. All services, dialup/wireless/vpn/etc will use one
radius server for both Auth(authenticate/authorize).
The question is can FreeRadius(or any radius) be configured to as the LDAP
for the correct service attribute and give access both base on the
user-id/password and what the value of the services?

Thank you all for your help.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: General Question..

Kris Benson
In reply to this post by Behzad Barzideh
FreeRadius users mailing list <[hidden email]> on
August 17, 2005 at 15:47 -0800 wrote:

>Can we use Radius/LDAP to do this.
>What I was hope we can do is as follow:
>everyone will get one user-id/password But for every service we will
>create
>a boolean attribute. All services, dialup/wireless/vpn/etc will use one
>radius server for both Auth(authenticate/authorize).
>The question is can FreeRadius(or any radius) be configured to as the
>LDAP
>for the correct service attribute and give access both base on the
>user-id/password and what the value of the services?

Sort of.

The best bet is to use the LDAP "posixgroup" objectclass -- then you can
force certain radius clients to require a specific group membership.

Let me know when you get closer to implementation and I can help you with
some config files.

-kb
--
Kris Benson, CCP, I.S.P.
Technical Analyst, District Projects
School District #57 (Prince George)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html