On Thu, May 30, 2002 at 08:38:04AM -0400, Deramus, Chris wrote: > Simon, > > I got Authentication to work with the method you described, but that's only > the first level. I realize that I can't make username, the group name. I > guess I am not wording it correctly, let me try better this time =). > > The Cisco VPN Dialer has a setup section where the user must enter their > group name and group password. When they attempt to connect to our VPN, it > passes the group name and group password to the concentrator. If that group > name and pass is authenticated either via RADIUS or it's the VPN's internal > database, it then prompts the user to enter their username and password for > themselves (individual authorization/authentication). There's no real way to > bypass this dual authentication, unless we used Digital Certificates which > at this point we really can't. So my question is, can I somehow *trick* > FreeRadius into realizing that the first authorization/authentication > request is the Group Name and Pass, and then it will still listen for > another request (Username/Pass)?
So the NAS is sending two auth requests to freeradius for every connection? One for the groupname/grouppassword and one for the username/password? Are the same groupnames/grouppasswords used by multiple clients? This doesn't look like it should really change anything, if the NAS sends an "ordinary" auth request for the group authentication and another auth request for the user authentication all you would need to do is add an entry for the groupname/grouppassword in radcheck/usergroup/radgroucpcheck and another entry in the same tables for the username/password. It would be easier to answer your question if we knew what attributes were sent in the auth requests for the group authentication and user authentication respectively. -- Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
