Cisco VPN Server 3000 + Radius + LDAP = heeelp!!

flusione at gmx.de flusione at gmx.de
Wed Sep 10 14:29:50 CEST 2008 

Hi Osvalo,

I had the same problems like you, but I would use a MySQL Database.
First: a Cisco VPN300 know 2 different ways to authenticate a user: 
The Usergroup-- define standard behavior for a user
and the User itself wher you can change the behaviors of the group. 

It's not possible to create a Group outsite of the VPN-Gateway. In that case, you can only use a group for all Users.

Ronald Bruska



-------- Original-Nachricht --------
> Datum: Tue, 09 Sep 2008 17:19:16 -0400
> Von: "Osvaldo Campos M. - Administrador Red STI" <ocampos at sti.uchile.cl>
> An: Leonardo Reginin <leonardo at procergs.rs.gov.br>
> CC: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Betreff: Re: Cisco VPN Server 3000 + Radius + LDAP = heeelp!!

> Hi...
> 
> Thanks for your answer Leonardo but, if I define the groups in the Cisco 
> VPN Server, it will be enough with knowing the password of other defined 
> group's to obtain an address from a group to which I don't really 
> belong. I.e., if Sale's user know password of Development group, will 
> can receive an Development address. 
>     
> For this reason it is that I should assign the address according to the 
> value of the attribute LDAP, because this value identifies user's type 
> and, therefore, the address that should have.
> 
> Other ideas for this, please??
> 
> Osvaldo H. Campos Molina
> Administrador de Red
> STI - Univ. de Chile
> 
> 
> 
> Leonardo Reginin escribió:
> > If I understood what you need ...
> >
> > Using Cisco VPN Client, you can define "Groups" in the Cisco 
> > Concentrator ...
> >
> > Configuration -> User Management -> Groups
> >
> > ... and assign an "Address Pool" to each group. According the Group 
> > used in the Cisco VPN Client, the user will receive an IP addresses 
> > from a different Address Pool.
> >
> > Create the Group and upon that create the Address Pool
> >
> > Configuration -> User Management -> Groups -> Address Pools
> >
> > Best Regards,
> >
> > Leonardo
> >
> > Osvaldo Campos M. - Administrador Red STI wrote:
> >> Hi people:
> >> First of all, sorry but my english is not good.
> >>
> >> I'm newie in FreeRadius and I am in a hurry with Cisco VPN Server 
> >> 3000, FreeRadius and LDAP, to permit vpn user's access.
> >> When vpn users connect (with "Cisco VPN Client"), Radius consult to 
> >> LDAP if user exist. If exist, then user can connect to vpn. If not, 
> >> can't connect. This works well.
> >> Now, also I should assign IP addresses according to an LDAP 
> >> attribute. For example, if attribute==1 assign 10.0.0.10/24, if 
> >> attribute==2 assign 10.0.0.20/24.
> >> I try to assign IP addresses with "ippool module" and filters in the 
> >> "ldap module" in FreeRadius, but it doesn't work.
> >> How can I work with many ippool's according to a value of LDAP 
> >> attribute? Where should I ask for the attribute value in order to 
> >> assign the corresponding ippool?.  Please, help me with that.
> >>
> >>
> >> My config is something like that:
> >> In the radius.conf file...
> >> ldap vpnldap1 {
> >>    server = "x.x.x.x"
> >>    identity = "cn=Directory Manager"
> >>    password = **********
> >>    basedn = "ou=People, dc:blah, dc=cl"
> >>    filter = "(&(uid=%u)(attribute=1))"
> >>    authtype = ldap
> >>    set_asuth_type = yes
> >> }
> >> ldap vpnldap2 {
> >>    server = "x.x.x.x"
> >>    identity = "cn=Directory Manager"
> >>    password = **********
> >>    basedn = "ou=People, dc:blah, dc=cl"
> >>    filter = "(&(uid=%u)(attribute=2))"
> >>    authtype = ldap
> >>    set_asuth_type = yes
> >> }
> >> ....
> >> authorize {
> >>    files
> >>    Autz-Type LDAPVPN1 {
> >>        vpnldap1
> >>    }
> >>    Autz-Type LDAPVPN2 {
> >>        vpnldap2
> >>    }
> >> }
> >> ....
> >> authentication {
> >>    Auth-Type LDAPVPN1 {
> >>        vpnldap1
> >>    }
> >>    Auth-Type LDAPVPN2 {
> >>        vpnldap2
> >>    }
> >> }
> >> ....
> >> ippool vpnusers1 {
> >>    range-start    = 10.0.0.10
> >>    range-stop    = 10.0.0.19
> >>    netmask        = 255.255.255.0
> >>    cache-size    = 10
> >>    session-db    = ${raddbdir}/db.vpnusers1-session
> >>    ip-index        = ${raddbdir}/db.vpnusers1-index
> >>    override        = yes
> >> }
> >> ....
> >> ippool vpnusers2 {
> >>    range-start    = 10.0.0.20
> >>    range-stop    = 10.0.0.29
> >>    netmask        = 255.255.255.0
> >>    cache-size    = 10
> >>    session-db    = ${raddbdir}/db.vpnusers2-session
> >>    ip-index        = ${raddbdir}/db.vpnusers2-index
> >>    override        = yes
> >> }
> >> ....
> >> In the user file...
> >> (i don`t know how to configure this file to several "Ippool".... I 
> >> think that here's the problem)
> >>
> >> DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN1, AUTZ-Type 
> >> :=LDAPVPN1, Pool-Name :=vpnusers1
> >> DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN2, AUTZ-Type 
> >> :=LDAPVPN2, Pool-Name :=vpnusers2
> >> # y.y.y.y= address of VPN Server
> >>
> >>
> >> In the ldap.attrmap...
> >> checkItem    vpnusers1    attribute
> >> checkItem    vpnusers2    attribute
> >>
> >> Please, help me with this config.
> >>
> >> Thank's you...
> >>
> >> Osvaldo H. Campos Molina
> >> Administrador de Red
> >> STI - Univ. de Chile
> >>
> >> -
> >> List info/subscribe/unsubscribe? See 
> >> http://www.freeradius.org/list/users.html
> >>
> >
> >
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list