Cisco VPN Server 3000 + Radius + LDAP = heeelp!!

[Osvaldo Campos M. - Administrador Red STI]

Hi people: 

First of all, sorry but my english is not good.

 I'm newie in FreeRadius and I am in a hurry with Cisco VPN Server 3000, 
FreeRadius and LDAP, to permit vpn user's access. 

When vpn users connect (with "Cisco VPN Client"), Radius consult to LDAP 
if user exist. If exist, then user can connect to vpn. If not, can't 
connect. This works well. 

Now, also I should assign IP addresses according to an LDAP attribute. 
For example, if attribute==1 assign 10.0.0.10/24, if attribute==2 assign 
10.0.0.20/24. 

I try to assign IP addresses with "ippool module" and filters in the 
"ldap module" in FreeRadius, but it doesn't work. 

How can I work with many ippool's according to a value of LDAP 
attribute? Where should I ask for the attribute value in order to assign 
the corresponding ippool?.  Please, help me with that.


My config is something like that: 

In the radius.conf file...
ldap vpnldap1 {
    server = "x.x.x.x"
    identity = "cn=Directory Manager"
    password = **********
    basedn = "ou=People, dc:blah, dc=cl"
    filter = "(&(uid=%u)(attribute=1))"
    authtype = ldap
    set_asuth_type = yes
}
ldap vpnldap2 {
    server = "x.x.x.x"
    identity = "cn=Directory Manager"
    password = **********
    basedn = "ou=People, dc:blah, dc=cl"
    filter = "(&(uid=%u)(attribute=2))"
    authtype = ldap
    set_asuth_type = yes
}
....
authorize {
    files
    Autz-Type LDAPVPN1 {
        vpnldap1
    }
    Autz-Type LDAPVPN2 {
        vpnldap2
    }
}
....
authentication {
    Auth-Type LDAPVPN1 {
        vpnldap1
    }
    Auth-Type LDAPVPN2 {
        vpnldap2
    }
}
....
ippool vpnusers1 {
    range-start    = 10.0.0.10
    range-stop    = 10.0.0.19
    netmask        = 255.255.255.0
    cache-size    = 10
    session-db    = ${raddbdir}/db.vpnusers1-session
    ip-index        = ${raddbdir}/db.vpnusers1-index
    override        = yes
}
....
ippool vpnusers2 {
    range-start    = 10.0.0.20
    range-stop    = 10.0.0.29
    netmask        = 255.255.255.0
    cache-size    = 10
    session-db    = ${raddbdir}/db.vpnusers2-session
    ip-index        = ${raddbdir}/db.vpnusers2-index
    override        = yes
}
....
In the user file...
(i don`t know how to configure this file to several "Ippool".... I think 
that here's the problem)

DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN1, AUTZ-Type 
:=LDAPVPN1, Pool-Name :=vpnusers1
DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN2, AUTZ-Type 
:=LDAPVPN2, Pool-Name :=vpnusers2
# y.y.y.y= address of VPN Server


In the ldap.attrmap...
checkItem    vpnusers1    attribute
checkItem    vpnusers2    attribute

Please, help me with this config.

Thank's you...

Osvaldo H. Campos Molina
Administrador de Red
STI - Univ. de Chile