Pushing group attribute from OpenDirectory to Cisco

Peter Lambrechtsen plambrechtsen at gmail.com
Mon Sep 27 01:00:07 CEST 2010 

Sander

I can't see why multiple groups wouldn't work, since that is how we do it:

This is what we have in our users file:

DEFAULT Huntgroup-Name == CiscoRTR, Ldap-Group ==
"cn=Administrator,ou=CiscoRTR,ou=Applications,o=Identities"
        Service-Type = "NAS-Prompt-User",
        Idle-Timeout = 600,
        Cisco-AVPair = "shell:priv-lvl=15"
#
DEFAULT Huntgroup-Name == CiscoRTR, Ldap-Group ==
"cn=Basic,ou=CiscoRTR,ou=Applications,o=Identities"
        Service-Type = "NAS-Prompt-User",
        Idle-Timeout = 600,
        Cisco-AVPair = "shell:priv-lvl=7"

You just need to repeat for the group level access you want, and set the
reply attributes relevant for that group.

And then you order the groups in the level of access you want to use, since
it will drop out of the users fine once it hits the first successful match.
Unless you also add Fall-Through = yes as well:
http://wiki.freeradius.org/Users But that would make no sense in this case
as you just want to set one group value, if you wanted to set multiple VSA's
based on multiple groups, you would need to set Fall-Through = yes on each
record, since the default behavour is Fall-Through=No.

That config below is just wrong to manage your users.

On Mon, Sep 27, 2010 at 11:37 AM, Sander van Loosbroek <
sander at vanloosbroek.com> wrote:

> Just wanted to let you all know that I got it working with your
> instructions. In the end I realized that there were multiple groups
> associated with each user and that such a lookup wasn't gonna work anyway. I
> created single user entries like this in the users file:
>
> user1                   Cleartext-Password := "userpassword"
>                                 Service-Type = NAS-Prompt-User,
>                                 cisco-avpair =
> "webvpn:user-vpn-group=management"
>
> The user has to be active in the OpenDirectory as well for this to work but
> this is desired behaviour in my configuration anyway. Now the avpair gets
> pushed to the Cisco router and used to select the correct policy in the
> WebVPN context. I'm gonna write a blogpost on my full setup on
> http://edgetechnology.wordpress.com that explains the full setup for those
> interested.
>
> Thank you all for your help.
>
> Sander
>
> On 24 sep 2010, at 12:00, freeradius-users-request at lists.freeradius.orgwrote:
>
> > Date: Fri, 24 Sep 2010 09:04:34 +0200
> > From: Sander van Loosbroek <sander at vanloosbroek.com>
> > Subject: Re: Freeradius-Users Digest, Vol 65, Issue 105
> > To: freeradius-users at lists.freeradius.org
> > Message-ID: <9C852831-8F4D-4DCF-9A2A-1D6C3D8EDD96 at vanloosbroek.com>
> > Content-Type: text/plain; charset=us-ascii
> >
> > What I'm trying to do is retrieve the user group from the OpenDirectory
> instead of setting a static one. There is only one NAS and the Mac OS X
> Server runs a standalone OpenDirectory Master so I don't need any huntgroups
> then?
> >
> > On 24 sep 2010, at 05:42, freeradius-users-request at lists.freeradius.orgwrote:
> >
> >> Date: Fri, 24 Sep 2010 08:02:38 +1200
> >> From: Peter Lambrechtsen <plambrechtsen at gmail.com>
> >> Subject: Re: Pushing group attribute from OpenDirectory to Cisco
> >> To: FreeRadius users mailing list
> >>      <freeradius-users at lists.freeradius.org>
> >> Message-ID:
> >>      <AANLkTik16Nrmbb1OmrVWcFuhTFKnLEDYwvPFs5FydrbT at mail.gmail.com>
> >> Content-Type: text/plain; charset="iso-8859-1"
> >>
> >> In the "users" file is where you specify the reply attributes in my
> example.
> >>
> >> So using your example:
> >>
> >> DEFAULT Huntgroup-Name == CiscoVPN, Ldap-Group ==
> >> "cn=CiscoVPN,ou=Roles,ou=Radius,DC=ACME,DC=COM"
> >>       Service-Type = "NAS-Prompt-User",
> >>       Idle-Timeout = 600,
> >>       Cisco-AVPair =
> >> "webvpn:user-vpn-group=whatevervpngroupyouwanttoaddtheuserto"
> >>
> >> Then you can either use the huntgroup file and set the IP addresses of
> the
> >> Routers (NAS's) you're using: http://wiki.freeradius.org/Huntgroups
> >>
> >> Or you can have the Huntgroups in ldap as per my e-mail, and that would
> be
> >> if you have a more dynamic environment or want to move the NAS between
> >> different huntgroups easily.
> >>
> >>
> >>
> >> On Fri, Sep 24, 2010 at 2:03 AM, Sander van Loosbroek <
> >> sander at vanloosbroek.com> wrote:
> >>
> >>> Hello Peter and Alan,
> >>>
> >>> Thank you for your reply. I've given the documentation of Peter a look
> but
> >>> I'm not that familiar with LDAP or how its underpinnings work in OS X
> >>> Server.
> >>>
> >>> When the Cisco router now authenticates against the FreeRADIUS server
> all
> >>> works fine except for the fact that the group name is not returned with
> the
> >>> webvpn:vpn-user-group attribute. What is unclear to me is how I
> instruct
> >>> FreeRADIUS to include that attribute when it returns the authorization
> >>> message. I have made the following addition to my clients file:
> >>>
> >>> client 192.168.13.1/32 {
> >>>      secret = xxx
> >>>      shortname = vpn
> >>>      nastype = cisco
> >>> }
> >>>
> >>> I have added a policy to the Cisco router to pick up the attribute but
> it
> >>> doesn't seem to get through. Can you suggest what to try next?
> >>>
> >>> Thanks,
> >>> Sander
> >>> -
> >>> List info/subscribe/unsubscribe? See
> >>> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100927/a759ade4/attachment.html>

More information about the Freeradius-Users mailing list