Cisco integration with priv-lvl=15 vs. priv-lvl=0

Phil Mayers p.mayers at imperial.ac.uk
Fri Aug 10 09:49:46 CEST 2012


On 08/09/2012 10:29 PM, Casho, Craig L wrote:
> Basically, how does one go about configuring the radius server to
> forward requests to the Redhad LDAP server with these attributes.

This is way too vague, and your terminology is all wrong which suggests 
you haven't read the docs and aren't familiar with FreeRADIUS.

If you want a more specific answer, please ask a more specific question.

However: there are several ways to accomplish what you want. Assuming 
that you have basic LDAP authenication (i.e. username/password checking) 
already working the simplest and most common approach is to use use LDAP 
groups. For example, in the "users" file you might put:

DEFAULT	Ldap-Group == cisco-admin-users
	Cisco-AVPair += "shell:priv-lvl=15"

The other common approach is to define an LDAP attribute, and map this 
to the Cisco-AVPair reply item, then populate your LDAP entries 
appropriately. For example, you could add an LDAP entry:

dn: cn=username,ou=foo,o=bar
myCiscoVals: shell:priv-lvl=15

...and in "ldap.attrmap" add:

replyItem	Cisco-AVPair	myCiscoVals

There are lots and lots of ways of doing this, but these are the most 
common. I suggest you read the docs carefully. Setup a basic case and 
get it working, then tune it to your needs. My advice would be to put 
the FreeRADIUS config into version control, and check in your changes 
each time you have a working config. Make small changes and test, then 
check in.


More information about the Freeradius-Users mailing list