WMI for Administrators > Configuration > Group Authorization

Group Authorization
Group authorization adds an additional level of system security by enabling a network-based authorization in addition to the initial authentication.
A group information retrieval from the TACACS+, RADIUS, LDAP, and NTLM authentication servers enables authorization in addition to authentication. An administrator can configure the authentication server to add group authorization checking.
To Configure Group Authorization on a LDAP Server
On the LDAP server, edit the “info” attribute for the group, and add the following syntax.
 
To Configure Group Authorization on a NTLM Server
To configure group authorization install the required tools from the Windows Server Administration Pack. The primary tools are Active Directory Schema MMC Snap-in for adding the attribute "info" to the objectclass "Users”, and the ADSI Edit MMC Snap-in to edit the property "comment" as "group_name=<Group1> [,<Group2,...,GroupN>];
1.
2.
3.
A Console window appears.
4.
The "Add/Remove Snap-in" window appears.
5.
The "Add Standalone Snap-ins" window appears.
6.
7.
Configuring Active Directory Schema
1.
2.
3.
4.
5.
Configuring ADSI Edit
1.
The "Connection" window appears.
2.
You will see the path "Domain NC[domain.com].
3.
You will see expanded path "DC=xxx,DC=xxx,DC=com".
4.
You will see the expanded classes "CN=Builtin, ..."
5.
You will see the expanded users list.
6.
You will see the window "CN=<username> Properties".
7.
8.
9.
To Configure Group Authorization on a RADIUS Server
1.
On the server, edit /etc/raddb/users and add a new string attribute (ATTRIBUTE Framed-Filter-Id 11) similar to the following example.
Framed-Filter- Id=”group_name=<Group1>[,<Group2>,...,<GroupN>];”,
If the Frame-Filter-Id already exists, just add the group_name to the string starting with a colon “:”.

WMI for Administrators > Configuration > Group Authorization