Pushing group attribute from OpenDirectory to Cisco

Peter Lambrechtsen plambrechtsen at gmail.com
Thu Sep 23 22:02:38 CEST 2010

In the "users" file is where you specify the reply attributes in my example.

So using your example:

DEFAULT Huntgroup-Name == CiscoVPN, Ldap-Group ==
        Service-Type = "NAS-Prompt-User",
        Idle-Timeout = 600,
        Cisco-AVPair =

Then you can either use the huntgroup file and set the IP addresses of the
Routers (NAS's) you're using: http://wiki.freeradius.org/Huntgroups

Or you can have the Huntgroups in ldap as per my e-mail, and that would be
if you have a more dynamic environment or want to move the NAS between
different huntgroups easily.

On Fri, Sep 24, 2010 at 2:03 AM, Sander van Loosbroek <
sander at vanloosbroek.com> wrote:

> Hello Peter and Alan,
> Thank you for your reply. I've given the documentation of Peter a look but
> I'm not that familiar with LDAP or how its underpinnings work in OS X
> Server.
> When the Cisco router now authenticates against the FreeRADIUS server all
> works fine except for the fact that the group name is not returned with the
> webvpn:vpn-user-group attribute. What is unclear to me is how I instruct
> FreeRADIUS to include that attribute when it returns the authorization
> message. I have made the following addition to my clients file:
> client {
>        secret = xxx
>        shortname = vpn
>        nastype = cisco
> }
> I have added a policy to the Cisco router to pick up the attribute but it
> doesn't seem to get through. Can you suggest what to try next?
> Thanks,
> Sander
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100924/e953640b/attachment.html>

More information about the Freeradius-Users mailing list