Cisco AV-PAIRS

Guy Davies aguydavies at gmail.com
Tue Feb 19 13:31:28 CET 2008


I was wondering the same thing :-)

On the subject of getting the attributes from LDAP, the Cisco AV pairs
are just another AV Pair.  Sure, Cisco have broken their AVs up with
sub-AVs, but it's still just passing a value back from LDAP and
manipulating the format so that it is placed correctly into the
correct AV.

The priv-level (as you have clearly worked out) is presented as...

Cisco-AV-Pair=priv-level=<value>

<value> = 0 to 15

If you have an attribute in your LDAP schema that is called
Cisco-AV-Pair and it contains the string "priv-level=15", then you
should be able to return that attribute and map it to the contents of
the Cisco-AV-Pair RADIUS attribute.

I don't *think* it's any different to mapping any other string based AV Pair.

Rgds,

Guy

On 19/02/2008, Ivan Kalik <tnt at kalik.net> wrote:
> And why do you have password in two locations? If you store it in Ldap
> you don't need it in users file and vice versa.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 19/2/2008, "David W Bell" <david at chaoscrypt.com> piše:
>
> >Hi there.
> >
> >My Saga continues....
> >
> >I have freeRADIUS working with openLDAP and can log into CISCO kit and
> >pass the priv-level from the raddb/users file.
> >
> >Is there any way that this information can be passed from the openLDAP
> >user details instead?
> >
> >I am looking to do a single-signon system and it seems a little awkward
> >to have to change a password (as is required in the users file) in 2
> >locations.
> >
> >Thanks
> >
> >David
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list