help-gnu-radius
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-gnu-radius] checking groups...

From: Sergey Poznyakoff
Subject: Re: [Help-gnu-radius] checking groups...
Date: Wed, 17 Jul 2002 10:59:13 +0300 
> I am using the mod_auth_radius.so modules for apache authentication..
> (the one from http://freeradius.org/mod_auth_radius/) and would like to
> be able to do a "require group group1" and have it rely on the group
> info on the radius server..
[...]
> y question is can it be done??  What Auth-request attributes do
> I need to send to the radius server to get it to check for a specific
> group?

Actually, there are no attributes dedicated specially to this purpose.
The Group and Group-Name attributes are internal attributes (with value > 256)
and thus cannot be sent over the network. The best way would be to
use State or Class attributes. For example, in your raddb/users you
define:

DEFAULT NAS-IP-Address = <address-of-http-server>,
               Service-Type = Authenticate-Only,
               Class = "group1",
               Auth-Type = SQL,
               Group = "group1"
        Service-Type =  Authenticate-Only              

DEFAULT NAS-IP-Address = <address-of-http-server>,
               Service-Type = Authenticate-Only,
               Class = "group2",
               Auth-Type = SQL,
               Group = "group2"
        Service-Type =  Authenticate-Only              

Then, to request authentication for a user from group1, your
mod_auth_radius.so will have to send a packet of the following
contents:

        NAS-IP-Address = <address-of-http-server>,
        Service-Type = Authenticate-Only,
        Class = "group1",
        User-Name = "dummy",
        Password = "dummpass"

(These are the obligatory ones. Apart from them, the client may send
whatever surplus attributes it deems necessary).

Similarly, for the group2, the contents of the clients request should
be

        NAS-IP-Address = <address-of-http-server>,
        Service-Type = Authenticate-Only,
        Class = "group2",
        User-Name = "dummy",
        Password = "dummpass"

If there are several http servers that will be authenticating using
the same profiles, declare them as a huntgroup and use the huntgroup
name in your raddb/users, e.g.:

#raddb/huntgroups:
HTTP NAS-IP-Address = <address-of-1st-http-server>      NULL
HTTP NAS-IP-Address = <address-of-2nd-http-server>      NULL

#raddb/users:
DEFAULT Huntgroup-Name = HTTP,
               Service-Type = Authenticate-Only,
               Class = "group1",
               Auth-Type = SQL,
               Group = "group1"
        Service-Type =  Authenticate-Only              

#etc...

Regards,
Sergey
reply via email to
[Prev in Thread] Current Thread [Next in Thread]