migrate from Cisco ACS

Thibault Le Meur Thibault.LeMeur at supelec.fr
Mon Jul 17 19:00:50 CEST 2006


> for example, if, on the current ACS server, i set the host where 
> 'radtest' lives to...
> 
> "authenticate using" -> "RADIUS (Cisco aironet)",
> 
> ...I get back the correct wireless vlan info. If I then set it to 
> authenticate using "RADIUS (VPN 3000)", I don't get back the 
> vlan info 
> but the Cisco-AVPair = "shell:priv-lvl=15" response is present.

The "users" file will help you design such rules.

First you might find useful to group your devices by IP addresses with the
_huntgroup_ file.

Then your rules in "users" might _look_like_:

DEFAULT	Huntgroup-Name == Aironet, Ldap-Group == Managers
		Tunnel-Private-Group-Id = "100"

DEFAULT	Huntgroup-Name == Aironet, Ldap-Group == Users
		Tunnel-Private-Group-Id = "101"

DEFAULT	Huntgroup-Name == VPN, Ldap-Group == Managers
		Tunnel-Private-Group-Id = "shell:priv-lvl=15"

DEFAULT	Huntgroup-Name == VPN, Ldap-Group == Users
		Tunnel-Private-Group-Id = "shell:priv-lvl=7"

See in the doc/processing_users_file and the samples from the users file in
the distro (first line in check-items, the following are reply
attributes/value pairs).

The doc/aaa.txt file is very valuable as well.

> In addition, I'd like to determine how I can restrict access 
> to specific 
> groups through specific devices.
> 
> I'll be using both ldap and mysql for user info

See doc/rlm_ldap for ldap details.

HTH,
Thibault





More information about the Freeradius-Users mailing list