On Fri, 2 Jan 2009, Alok Vimawala wrote:
Hi Mike,
Are you trying to have the radius server send an access-reject when the user
is not in the group?
Or are you trying to send a list of groups to the VPN device?
I couldn't figure out how to have the client (in this case a cisco ASA5500
VPN) send the group profile id or name along with the request, so I ended
up doing it the other way, where the Radius server sends back a list of
authorized groups, and my appliance makes the decision on authorization. I
don't know if that's the best way or not.
-Mike
On Jan 1, 2009, at 3:21 PM, Alan DeKok wrote:
Mike Diggins wrote:
On a related note, should the rlm_dbm_parse program be able to convert
the users file (assuming it is the correct syntax) directly? It
complains about the ntlm_auth type.
I wouldn't suggest using rlm_dbm. It's not really maintained, and
it's not necessary.
As of 2.x, the server puts the "users" file entries into a hash when
it loads the file. I've tested 100K users being loaded in a second or
two on a reasonable machine. On top of that, 2.x supports HUP better
than 1.x.
So... rlm_dbm is almost never necessary any more.
If you have less than 10K entries in the "users" file, I would suggest
that rlm_dbm is not for you. If you have more than 10K users, I would
suggest using an SQL database.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html