cisco vpn authentication, freeradius and best practices

Elizabeth Steinke liz at twistedpair.cc
Sun Oct 19 23:03:24 CEST 2008


Fantastic!
Thanks so much. unlang looks pretty interesting. Ill need to do more
reading. Is there a book coming out on freeradius 2 soon? I've gotten alot
of good info from the oreilly freeradius 1 book.

Thanks!
Liz


On Sun, Oct 19, 2008 at 11:17 AM, Alan DeKok <aland at deployingradius.com>wrote:

> Elizabeth Steinke wrote:
> > I tested this rule with radtest (Making the necessary modifications  and
> > it worked fine.
> >
> > DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group = "CN=somevpn...",
> > Auth-Type := ntlm_auth_plaintext
> > DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group != "CN=somevpn...",
> > Auth-Type := Reject
>
>   Then it's fine.
>
> > Is it a good idea to force the auth-type in the users file? is there a
> > cleaner way to do this?
>
>   If it works... it's fine.
>
>  The big rants about not forcing Auth-Type are because of the people
> who force it without understanding the consequences... and then complain
> when it doesn't work.
>
> > While rewriting the rules file I am pairing accept and denies as above.
> > Is that necessary or will it turn out to be horribly inefficient?
>
>   It's good practice.  But doing all of those LDAP-Group queries can get
> expensive.  i.e. you're doing *two* queries instead of one.
>
>  You could fix this with "unlang":
>
>        if (Huntgroup-Name == "vpn-pix") {
>                if (LDAP-Group == ...) {
>                        update control {
>                                 Auth-Type := ntlm_auth_plaintext
>                        }
>                }
>                 else {
>                        reject
>                }
>
>        }
>
>  Only one LDAP-Group check is more efficient.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081019/203442f7/attachment.html>


More information about the Freeradius-Users mailing list