Assuming you have your reply table set up properly the following
should
work:
id UserName Attribute Value op
1 test.user Class TestGroup ==
I've used this set up for 3 years with both Cisco 3000's and for the
past year with ASA 5000's and it works like a charm.
-----Original Message-----
From:
freeradius-users-bounces+chris.deramus=hq.doe.gov@lists.freeradius.org
[mailto:freeradius-users-bounces
+chris.deramus=hq.doe.gov@lists.freeradi
us.org] On Behalf Of Berndt Sevcik
Sent: Wednesday, February 21, 2007 8:03 AM
To: FreeRadius users mailing list
Subject: VPN and Group Policy
We are using a Cisco ASA Firewall for VPN access (lika a VPN3000).
The RADIUS server should authenticate our users and assign them a
group
policy. Somewhere I read that I have to send the CLASS attribute in
the
RADIUS reply to assign the grou policy to a user.
When I look at the debug output from the firewall I can see that the
attribut is sent to the firewall. Also the access accept packet is
received by the firewall.
Radius: Code = 2 (0x02)
Radius: Identifier = 17 (0x11)
Radius: Length = 88 (0x0058)
Radius: Vector: 2B9061A9AA15E08DA2F1FACCFFD012F7
Radius: Type = 25 (0x19) Class
Radius: Length = 16 (0x10)
Radius: Value (String) =
4f 55 3d 49 54 2d 53 65 72 76 69 63 65 3b | OU=IT-Service;
,,,,,
rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination RADIUS_DELETE remove_req
0xf6d9874 session 0x208 id 17 free_rip 0xf6d9874
radius: send queue empty
Is there an other attribut so send back? Something special to know
about
freeRADIUS config? Has someone a working config ore some tipps for me?
Thanks in advance.
Berndt
-----------------------------------------
TGM - Die Schule der Technik
IT-Service
A-1200 Wien, Wexstr. 19-23
Tel. +43(1)33126/316 Fax: +43(1)33126/154
E-Mail: berndt.sevcik@tgm.ac.at
-----------------------------------------
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
users.html