Cisco VPN Server 3000 + Radius + LDAP = heeelp!!

Osvaldo Campos M. - Administrador Red STI ocampos at sti.uchile.cl
Tue Sep 9 23:19:16 CEST 2008


Hi...

Thanks for your answer Leonardo but, if I define the groups in the Cisco 
VPN Server, it will be enough with knowing the password of other defined 
group's to obtain an address from a group to which I don't really 
belong. I.e., if Sale's user know password of Development group, will 
can receive an Development address. 
    
For this reason it is that I should assign the address according to the 
value of the attribute LDAP, because this value identifies user's type 
and, therefore, the address that should have.

Other ideas for this, please??

Osvaldo H. Campos Molina
Administrador de Red
STI - Univ. de Chile



Leonardo Reginin escribió:
> If I understood what you need ...
>
> Using Cisco VPN Client, you can define "Groups" in the Cisco 
> Concentrator ...
>
> Configuration -> User Management -> Groups
>
> ... and assign an "Address Pool" to each group. According the Group 
> used in the Cisco VPN Client, the user will receive an IP addresses 
> from a different Address Pool.
>
> Create the Group and upon that create the Address Pool
>
> Configuration -> User Management -> Groups -> Address Pools
>
> Best Regards,
>
> Leonardo
>
> Osvaldo Campos M. - Administrador Red STI wrote:
>> Hi people:
>> First of all, sorry but my english is not good.
>>
>> I'm newie in FreeRadius and I am in a hurry with Cisco VPN Server 
>> 3000, FreeRadius and LDAP, to permit vpn user's access.
>> When vpn users connect (with "Cisco VPN Client"), Radius consult to 
>> LDAP if user exist. If exist, then user can connect to vpn. If not, 
>> can't connect. This works well.
>> Now, also I should assign IP addresses according to an LDAP 
>> attribute. For example, if attribute==1 assign 10.0.0.10/24, if 
>> attribute==2 assign 10.0.0.20/24.
>> I try to assign IP addresses with "ippool module" and filters in the 
>> "ldap module" in FreeRadius, but it doesn't work.
>> How can I work with many ippool's according to a value of LDAP 
>> attribute? Where should I ask for the attribute value in order to 
>> assign the corresponding ippool?.  Please, help me with that.
>>
>>
>> My config is something like that:
>> In the radius.conf file...
>> ldap vpnldap1 {
>>    server = "x.x.x.x"
>>    identity = "cn=Directory Manager"
>>    password = **********
>>    basedn = "ou=People, dc:blah, dc=cl"
>>    filter = "(&(uid=%u)(attribute=1))"
>>    authtype = ldap
>>    set_asuth_type = yes
>> }
>> ldap vpnldap2 {
>>    server = "x.x.x.x"
>>    identity = "cn=Directory Manager"
>>    password = **********
>>    basedn = "ou=People, dc:blah, dc=cl"
>>    filter = "(&(uid=%u)(attribute=2))"
>>    authtype = ldap
>>    set_asuth_type = yes
>> }
>> ....
>> authorize {
>>    files
>>    Autz-Type LDAPVPN1 {
>>        vpnldap1
>>    }
>>    Autz-Type LDAPVPN2 {
>>        vpnldap2
>>    }
>> }
>> ....
>> authentication {
>>    Auth-Type LDAPVPN1 {
>>        vpnldap1
>>    }
>>    Auth-Type LDAPVPN2 {
>>        vpnldap2
>>    }
>> }
>> ....
>> ippool vpnusers1 {
>>    range-start    = 10.0.0.10
>>    range-stop    = 10.0.0.19
>>    netmask        = 255.255.255.0
>>    cache-size    = 10
>>    session-db    = ${raddbdir}/db.vpnusers1-session
>>    ip-index        = ${raddbdir}/db.vpnusers1-index
>>    override        = yes
>> }
>> ....
>> ippool vpnusers2 {
>>    range-start    = 10.0.0.20
>>    range-stop    = 10.0.0.29
>>    netmask        = 255.255.255.0
>>    cache-size    = 10
>>    session-db    = ${raddbdir}/db.vpnusers2-session
>>    ip-index        = ${raddbdir}/db.vpnusers2-index
>>    override        = yes
>> }
>> ....
>> In the user file...
>> (i don`t know how to configure this file to several "Ippool".... I 
>> think that here's the problem)
>>
>> DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN1, AUTZ-Type 
>> :=LDAPVPN1, Pool-Name :=vpnusers1
>> DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN2, AUTZ-Type 
>> :=LDAPVPN2, Pool-Name :=vpnusers2
>> # y.y.y.y= address of VPN Server
>>
>>
>> In the ldap.attrmap...
>> checkItem    vpnusers1    attribute
>> checkItem    vpnusers2    attribute
>>
>> Please, help me with this config.
>>
>> Thank's you...
>>
>> Osvaldo H. Campos Molina
>> Administrador de Red
>> STI - Univ. de Chile
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
>
>



More information about the Freeradius-Users mailing list