On Sat, Mar 27, 2010 at 3:00 AM, Doug Warner <d...@warner.fm> wrote: > I'm trying to setup freeradius to authenticate users via LDAP but pull > group > information via MySQL. I currently only need radius for authentication to > network devices (switches, PDUs, etc) but want to make sure I set it up so > that I don't shoot myself in the foot later. > > In trying to get the correct attributes assigned to a group I've noticed > that > I need to set Fall-Through on each group that a user belongs to in order to > have later groups evaluated. Is there a better way that I can say > something > like, "this client should check for access from these groups" so that I > only > need to set Fall-Through on certain groups instead of all? >
Why not just use LDAP all together for your group based auth. This is how I do it and it works well, and doesn't need any schema extensions. http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg00001.html Then all you have to do is modify the hostgroups & postauth_users file when you add new NAS's.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html