Freeradius-Users Digest, Vol 65, Issue 105
Sander van Loosbroek
sander at vanloosbroek.com
Fri Sep 24 09:04:34 CEST 2010
What I'm trying to do is retrieve the user group from the OpenDirectory instead of setting a static one. There is only one NAS and the Mac OS X Server runs a standalone OpenDirectory Master so I don't need any huntgroups then?
On 24 sep 2010, at 05:42, freeradius-users-request at lists.freeradius.org wrote:
> Date: Fri, 24 Sep 2010 08:02:38 +1200
> From: Peter Lambrechtsen <plambrechtsen at gmail.com>
> Subject: Re: Pushing group attribute from OpenDirectory to Cisco
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID:
> <AANLkTik16Nrmbb1OmrVWcFuhTFKnLEDYwvPFs5FydrbT at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> In the "users" file is where you specify the reply attributes in my example.
>
> So using your example:
>
> DEFAULT Huntgroup-Name == CiscoVPN, Ldap-Group ==
> "cn=CiscoVPN,ou=Roles,ou=Radius,DC=ACME,DC=COM"
> Service-Type = "NAS-Prompt-User",
> Idle-Timeout = 600,
> Cisco-AVPair =
> "webvpn:user-vpn-group=whatevervpngroupyouwanttoaddtheuserto"
>
> Then you can either use the huntgroup file and set the IP addresses of the
> Routers (NAS's) you're using: http://wiki.freeradius.org/Huntgroups
>
> Or you can have the Huntgroups in ldap as per my e-mail, and that would be
> if you have a more dynamic environment or want to move the NAS between
> different huntgroups easily.
>
>
>
> On Fri, Sep 24, 2010 at 2:03 AM, Sander van Loosbroek <
> sander at vanloosbroek.com> wrote:
>
>> Hello Peter and Alan,
>>
>> Thank you for your reply. I've given the documentation of Peter a look but
>> I'm not that familiar with LDAP or how its underpinnings work in OS X
>> Server.
>>
>> When the Cisco router now authenticates against the FreeRADIUS server all
>> works fine except for the fact that the group name is not returned with the
>> webvpn:vpn-user-group attribute. What is unclear to me is how I instruct
>> FreeRADIUS to include that attribute when it returns the authorization
>> message. I have made the following addition to my clients file:
>>
>> client 192.168.13.1/32 {
>> secret = xxx
>> shortname = vpn
>> nastype = cisco
>> }
>>
>> I have added a policy to the Cisco router to pick up the attribute but it
>> doesn't seem to get through. Can you suggest what to try next?
>>
>> Thanks,
>> Sander
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list