multiple radiusVSA in ldap.attrmap

François Mehault Francois.Mehault at netplus.fr
Fri Jun 12 12:24:24 CEST 2009


Hi,

I would like to have a profil administrator on my openldap wich allows administrator to authenticate on cisco and foundry equipment and enters directly in Privileged EXEC level. So I read VSA attribute in dictionary.foundry and dictionary.cisco. I created my profile in OpenLDAP and I am logging on my cisco and see the reply log to see what is reply.

With this profil :

dn: cn=administrateur,ou=Profiles,dc=netplus,dc=fr
objectClass: radiusObjectProfile
objectClass: top
objectClass: radiusprofile
radiusServiceType: NAS-Prompt-User
cn: administrateur
radiusVSA: shell:priv-lvl=15
radiusReplyItem: "Foundry-Privilege-Level = 0"
radiusReplyItem: "Foundry-Command-String = *"
radiusReplyItem: "Foundry-Command-Exception-Flag = 0"
radiusReplyItem: "Foundry-INM-Privilege = 15"

+ in ldap.attrmap I add

replyItem       $GENERIC$                       radiusReplyItem
[...]
replyItem       Cisco-AVPair                    radiusVSA


I see in my log :

Fri Jun 12 12:01:07 2009
        Packet-Type = Access-Accept
        Reply-Message = "Utilisateur: fmehault, group: Administrateur"
        Cisco-AVPair = "shell:priv-lvl=15"
        Service-Type = NAS-Prompt-User


With this profil :


dn: cn=administrateur,ou=Profiles,dc=netplus,dc=fr

objectClass: radiusObjectProfile

objectClass: top

objectClass: radiusprofile

radiusServiceType: NAS-Prompt-User

cn: administrateur

radiusVSA: shell:priv-lvl=15

radiusVSA: 0

radiusVSA: 15




 + in ldap.attrmap I add

replyItem       Cisco-AVPair                                         radiusVSA
replyItem       Foundry-Privilege-Level                   radiusVSA
replyItem       Foundry-INM-Privilege                    radiusVSA

I see in my log :

Fri Jun 12 12:14:49 2009
        Packet-Type = Access-Accept
        Reply-Message = "Utilisateur: fmehault, group: Administrateur"
        Foundry-INM-Privilege = AAA_pri_15
        Foundry-Privilege-Level = 15
        Cisco-AVPair = "shell:priv-lvl=15"
        Service-Type = NAS-Prompt-User

I don't succeed to give good value for each attribute with OpenLDAP, ldapattrmap, radiusVSA ... In addition, I can't to have two radiusVSA attributes with the same value in OpenLDAP.
So I woul like to know if it is possible to have just one profil with several attributes for different constructor (foundry, cisco, fortinet ...). Or I have to do a profil administratorCisco, administratorFoundry, ...

Thanks for your help in advance

Regards,

François Mehault


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090612/d811c9a1/attachment.html>


More information about the Freeradius-Users mailing list