freeradius and Cisco VPN IPSEC profiles authentication
Phil Mayers
p.mayers at imperial.ac.uk
Thu Nov 11 18:46:34 CET 2010
On 11/11/10 15:49, Jevos, Peter wrote:
> See "man unlang". Put the logic into raddb/sites-available/default,
>
> the "authorize" section.
>
> Uh... read the debug output, and look at the files in the "raddb"
>
> directory. The directory has more than *one* file. This should be a
>
> hint that the "users" file doesn't solve everything.
>
> Alan DeKok.
>
> Hi Alan, , thanks , I’ve read it but it’s too complicated and I’m
> missing more examples of configurations
>
> If anybody help me with the syntax and code location with this issue:
>
> If requests come from NAS-IP-Address==1.1.1.1 and the
> %{mschap:NT-Domain}=vipdomainuser , check them against module
> ntlm_auth_vip ( module is already working ) and if pass give them
> Cisco-Avpair += "ipsec:addr-pool=vip_vpn_pool" and other optional AVpairs.
Just add the Cisco-AVPair when you do "if (NAS-IP-Address == ..)" i.e.
authorize {
if ((NAS-IP-Address == xxx) && (...condition...)) {
update control {
Auth-Type = ntlm_auth_vip
}
update reply {
Cisco-AVPair += "..."
}
}
}
...then:
authenticate {
Auth-Type ntlm_auth_vip {
ntlm_auth_vip
}
}
...and, as per the DEFAULT CONFIG!
post-auth {
...
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
...the attribute filter in the reject will remove the Cisco-AVPair if
the request is rejected.
More information about the Freeradius-Users
mailing list