Group authorization adds an additional level of system security by enabling a network-based authorization in addition to the initial authentication.A group information retrieval from the TACACS+, RADIUS, LDAP, and NTLM authentication servers enables authorization in addition to authentication. An administrator can configure the authentication server to add group authorization checking.On the LDAP server, edit the “info” attribute for the group, and add the following syntax.To configure group authorization install the required tools from the Windows Server Administration Pack. The primary tools are Active Directory Schema MMC Snap-in for adding the attribute "info" to the objectclass "Users”, and the ADSI Edit MMC Snap-in to edit the property "comment" as "group_name=<Group1> [,<Group2,...,GroupN>];
4.
6. From the list, select "Active Directory Schema" and click [Add]; select "ADSI Edit" and click [Add], and [Close].
1. In the console window, double click "Active Directory Schema". You will see the paths "Classes" and "Attributes".
3. Double click "Classes" and locate the class "Users", and right click to select "Properties".
1. In the console window, double click "ADSI Edit", and on the menu bar select "Action" > "Connect to...".You will see the path "Domain NC[domain.com].
3. Double click "Domain NC[domain.com].
1. On the server, edit /etc/raddb/users and add a new string attribute (ATTRIBUTE Framed-Filter-Id 11) similar to the following example.
Framed-Filter- Id=”group_name=<Group1>[,<Group2>,...,<GroupN>];”,If the Frame-Filter-Id already exists, just add the group_name to the string starting with a colon “:”.