groups in eap/tls authentication

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

groups in eap/tls authentication

Norbert Wegener
My users authenticate via certificates and eap/tls.
Up to now they all get the same DEFAULTs for DNS servers and WINS
servers assigend.
Now there is demand, to assign some of them special servers.
I would like to do this, defining another DEFAULT entry combined with a
hint/check item or something else.
If they would use normal accounts, they would be able to append a suffix
to that account, so that a hint file comes into business.
As their login is extracted from the certificate, they have no chance to
do so.
I would like to do something like this, but as far as I understand, this
Group check-item will only work  with Auth-Type=System:

[hidden email], Group="abc"
        Fall-Through = Yes,

[hidden email], Group="123"
        Fall-Through = Yes,

DEFAULT Group="abc"
       Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Cisco-AVPair += "ip:dns-servers=1.2.3.4 5.6.7.8",
         Fall-Through = No,


DEFAULT Group="123"
       Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Cisco-AVPair += "ip:dns-servers=11.22.33.44 55.66.77.88",
         Fall-Through = No

Is there a way to do this?
Thanks for an answer.
Norbert Wegener




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: groups in eap/tls authentication

Alan DeKok
Norbert Wegener <[hidden email]> wrote:
> I would like to do something like this, but as far as I understand, this
> Group check-item will only work  with Auth-Type=System:

  No.  The Group check-item works only for people in /etc/groups.

  If you want non-Unix groups, see the rlm_passwd module.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html