freeradius and Cisco VPN IPSEC profiles authentication
Phil Mayers
p.mayers at imperial.ac.uk
Thu Nov 4 16:35:44 CET 2010
On 04/11/10 15:25, Jevos, Peter wrote:
>
> On 04/11/10 10:41, Jevos, Peter wrote:
>> DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252
>> Tunnel-Type = "ESP",
>> Tunnel-Private-Group-ID = "Group1",
>> Tunnel-Password = "cisco",
>> Cisco-Avpair="ipsec:dns-servers=10.1.1.6 10.1.1.7",
>> Cisco-Avpair="ipsec:addr-pool=vpn_pool",
>
> This wrong; you want:
>
> Cisco-AVpair += "2nd:attribute"
>
> This is documented in the manpage and docs.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> Thank you, it helped but it still doesn't work as I wished:
>
> All I need is:
> When request comes from 10.1.1.252 and Tunnel-Private-Group-ID =
> "Group1", use authentication ntlm_auth_vpn, and send back Cisco-av pairs
> (ipsec values)
> When request comes from whencesoever and Tunnel-Private-Group-ID is
> whatever, use authentication vpn_auth_name ,and that's it
>
> My current settings is:
>
> DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252
> , Tunnel-Private-Group-ID == "Group1"
> Tunnel-Type = "ESP",
> Tunnel-Private-Group-ID = "Group1",
> Tunnel-Password = "cisco",
> Cisco-Avpair="ipsec:dns-servers=10.1.1.6 10.1.1.7",
> Cisco-Avpair="ipsec:addr-pool=vpn_pool",
> Cisco-Avpair="ipsec:inacl=101",
> Cisco-Avpair="ipsec:key-exchange=ike",
> Cisco-Avpair="ipsec:key-exchange=preshared-key",
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Fall-Through = Yes
You've set Fall-Through here - so your Auth-Type will be overwritten by
the 2nd entry:
>
>
> DEFAULT Auth-Type := vpn_auth_name,
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
>
Remove the Fall-Through
More information about the Freeradius-Users
mailing list