Cisco VPN Server 3000 + Radius + LDAP = heeelp!!

Osvaldo Campos M. - Administrador Red STI ocampos at sti.uchile.cl
Wed Sep 10 22:42:20 CEST 2008 

Sorry, but I don't understand very well.   
   
For that you understand our "scenario", we have an LDAP server with 
users that are all in oneself branch. All these users have the attribute 
"PostOfficeBox". We will use this attribute as the group attribute(i.e., 
to makes the difference between user's types). For example, if 
PostOfficeBox=00000001 then the user belongs to Sales, if 
PostOfficeBox=00000002 then the user belongs to Marketing. 
 
So, what we need is assign addresses to vpn users according to 
PostOfficeBox value. 
   
My config in the ldap.attrmap is something like that... (This is what 
you said??? Is correct???) 
    checkItem    $GENERIC$   radiusCheckItem   
    replyItem      $GENERIC$   radiusReplyItem   
    checkItem    vpnusers1       PostOfficeBox    #vpnusers1 and 
vpnusers2 are the ippools
    checkItem    vpnusers2       PostOfficeBox    #PostOfficeBox is the 
LDAP attribute 
 
In the user file...   
    DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN1, AUTZ-Type 
:=LDAPVPN1, Pool- Name :=vpnusers1   
    DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN2, AUTZ-Type 
:=LDAPVPN2, Pool-Name :=vpnusers2   
                # y.y.y.y= address of VPN Server  
 
In the radius.conf 
 ldap vpnldap1 { 
   server = "x.x.x.x" 
   identity = "cn=Directory Manager" 
   password = ********** 
   basedn = "ou=People, dc:blah, dc=cl" 
   filter = "(&(uid=%u)(PostOfficeBox=00000001))" 
   authtype = ldap 
   set_asuth_type = yes 
} 
 ldap vpnldap2 { 
   server = "x.x.x.x" 
   identity = "cn=Directory Manager" 
   password = ********** 
   basedn = "ou=People, dc:blah, dc=cl" 
   filter = "(&(uid=%u)(PostOfficeBox=00000002))" 
   authtype = ldap 
   set_asuth_type = yes 
} 
.... 
 authorize { 
   files 
   Autz-Type LDAPVPN1 { 
       vpnldap1 
   } 
   Autz-Type LDAPVPN2 { 
       vpnldap2 
   } 
} 
.... 
 authentication { 
   Auth-Type LDAPVPN1 { 
       vpnldap1 
   } 
   Auth-Type LDAPVPN2 { 
       vpnldap2 
   } 
} 
.... 
 ippool vpnusers1 { 
   range-start    = 10.0.0.10 
   range-stop    = 10.0.0.19 
   netmask        = 255.255.255.0 
   cache-size    = 10 
   session-db    = ${raddbdir}/db.vpnusers1-session 
   ip-index        = ${raddbdir}/db.vpnusers1-index 
   override        = yes 
} 
.... 
 ippool vpnusers2 { 
   range-start    = 10.0.0.20 
   range-stop    = 10.0.0.29 
   netmask        = 255.255.255.0 
   cache-size    = 10 
   session-db    = ${raddbdir}/db.vpnusers2-session 
   ip-index        = ${raddbdir}/db.vpnusers2-index 
   override        = yes 
} 
 
  Please help me with that, because I don't know what's wrong in my 
config. 
 
Thanks so much.

Osvaldo H. Campos Molina
Administrador de Red
STI - Univ. de Chile



tnt at kalik.net escribió:
> Add Pool-Name as check item with operator := to ldap.attrmap. Map it to
> something like radiusPool. Add radiusPool to user profile in ldap. Add
> value pool1 for radiusPool to those with attribute = 1 ...
>
> Ivan Kalik
> Kalik Informatika ISP
>
>

More information about the Freeradius-Users mailing list