George,
Thanks for your reply. Unfortunately, the FreeRadius documentation and
support is so abysmal and my experience too limited to make good use of
the advice you gave. Each OSS package has its benefits and weaknesses I
guess. For instance I've used ISC DHCP server for years and it has
stellar support from the programmer, great on-line information and
documentation so much so that I can't imagine using anything else. I
guess I was hoping FreeRadius would have the same support. Without a
doubt it doesn't. I've spent about two weeks now struggling to make the
software do what I want and at this point I give up. I'm moving on to
Radiator. I just can't spend any more time spinning my wheels.
Perhaps in the future the FreeRadius writer's will realize how useless
their software is with the level of documentation and support they are
providing and choose to make improvements or maybe they'll just continue
to operate on a "you get what you pay for basis." Either way it's not
worth the frustration. It's a shame really because it's obvious that it
is a really good piece of software.
Anyway, thanks again for the reply.
--Paul
Paul Kuchinski
Network Administrator
Smeal College of Business Administration
Penn State University
email: [EMAIL PROTECTED]
phone: (814)865-0366
fax: (814)865-1845
George C. Kaplan wrote:
On Jul 31, 2006, at 10:08 AM, P. K. wrote:
Hi All,
I've been setting up my College's first FreeRadius server and I've
been having a hard time wrapping my brain around the config with the
documentation that is available. If you'll bear with me here through
this super long post, I'll go into more depth.
What I'm trying to do:
I want to configure FreeRadius to Authorize a user against an LDAP
directory based on IF that user has the following values:
edupersonprimaryaffiliation: STAFF
AND
psadminarea: BUSINESS - SMEAL COLLEGE
OR
edupersonprimaryaffiliation: Faculty
AND
psadminarea: BUSINESS - SMEAL COLLEGE
If the user's values don't match either of these two condition, they
are rejected. If they match either, then they are authenticated
agains a kerberos server.
This is very similar to our situation: you need to authorize based on
some combination of a user's attributes that are found in LDAP, but
that *aren't* present for comparison in the RADIUS request. Our
solution is to use rlm_perl for the comparison.
You already have part of the solution: you've got LDAP retrieving the
relevant LDAP data into locally-defined RADIUS attributes. Now you
just need to write a perl script to check the appropriate members of
the %RAD_CHECK hash, and configure an Autz-Type that uses your LDAP
module, followed by your rlm_perl module.
--George C. Kaplan [EMAIL PROTECTED]
Communication & Network Services 510-643-0496
University of California at Berkeley
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html