<html><head><base href="x-msg://1597/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>You're assuming FreeRADIUS will magically strip off the '<span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 15px; ">isakmp-group-id=' part of the value... AVPairs are Ciscos own invention they are not part of the RADIUS standard.</span></div><div><span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 15px; "><br></span></div><div><span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 15px; ">It's difficult to do because the order of AVPairs sometimes changes and the == operator will only check the first instance of the attribute.</span></div><div><span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 15px; "><br></span></div><div><font class="Apple-style-span" face="Calibri, sans-serif"><span class="Apple-style-span" style="font-size: 15px;">If you care about it being reliable between Cisco NAS upgrade to 3.0x and i'll send you some unlang policies that deal with Cisco-AVPairs properly. If you don't, you can use the following...</span></font></div><div><font class="Apple-style-span" face="Calibri, sans-serif"><span class="Apple-style-span" style="font-size: 15px;"><br></span></font></div><div><font class="Apple-style-span" face="Calibri, sans-serif"><span class="Apple-style-span" style="font-size: 15px;">authorize {</span></font></div><div><font class="Apple-style-span" face="Calibri, sans-serif"><span class="Apple-style-span" style="font-size: 15px;"><span class="Apple-tab-span" style="white-space:pre"> </span># Comment out files</span></font></div><div><font class="Apple-style-span" face="Calibri, sans-serif"><span class="Apple-style-span" style="font-size: 15px;"><span class="Apple-tab-span" style="white-space:pre"> </span># files</span></font></div><div><font class="Apple-style-span" face="Calibri, sans-serif"><span class="Apple-style-span" style="font-size: 15px;"><span class="Apple-tab-span" style="white-space:pre"> </span># Insert at the end of the authorize section</span></font></div><div><font class="Apple-style-span" face="Calibri, sans-serif"><span class="Apple-style-span" style="font-size: 15px;"><span class="Apple-tab-span" style="white-space:pre"> </span>update request {</span></font></div><div><font class="Apple-style-span" face="Calibri, sans-serif"><span class="Apple-style-span" style="font-size: 15px;"><span class="Apple-tab-span" style="white-space:pre"> </span>Auth-Type := "%{control:Auth-Type}"</span></font></div><div><font class="Apple-style-span" face="Calibri, sans-serif"><span class="Apple-style-span" style="font-size: 15px;"><span class="Apple-tab-span" style="white-space:pre"> </span>}</span></font></div><div><font class="Apple-style-span" face="Calibri, sans-serif"><span class="Apple-style-span" style="font-size: 15px;">}</span></font></div><div><font class="Apple-style-span" face="Calibri, sans-serif"><span class="Apple-style-span" style="font-size: 15px;"><br></span></font></div><div><font class="Apple-style-span" face="Calibri, sans-serif"><span class="Apple-style-span" style="font-size: 15px;">post-auth {</span></font></div><div><font class="Apple-style-span" face="Calibri, sans-serif"><span class="Apple-style-span" style="font-size: 15px;"><span class="Apple-tab-span" style="white-space:pre"> </span># Add </span></font></div><div><font class="Apple-style-span" face="Calibri, sans-serif"><span class="Apple-style-span" style="font-size: 15px;"><span class="Apple-tab-span" style="white-space:pre"> </span>files.authorize</span></font></div><div><font class="Apple-style-span" face="Calibri, sans-serif"><span class="Apple-style-span" style="font-size: 15px;">}</span></font></div><div><font class="Apple-style-span" face="Calibri, sans-serif"><span class="Apple-style-span" style="font-size: 15px;"><br></span></font></div><div><font class="Apple-style-span" face="Calibri, sans-serif"><span class="Apple-style-span" style="font-size: 15px;">In the users file change</span></font></div><div><span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 15px; "><br></span></div><div><span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 15px; ">Auth-Type := ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair == " CiscoGroup "</span></div><div><span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 15px; "><br></span></div><div><span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 15px; ">to</span></div><div><span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 15px; "><br></span></div><div><font class="Apple-style-span" face="Calibri, sans-serif"><span class="Apple-style-span" style="font-size: 15px;">Auth-Type == ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair == "isakmp-group-id=CiscoGroup</span></font><span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 15px; ">"</span></div><div><span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 15px; "><br></span></div><div><span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 15px; ">-Arran</span></div><br><div><div>On 27 Jul 2011, at 09:52, Jevos, Peter wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div lang="EN-US" link="blue" vlink="purple"><div class="WordSection1" style="page: WordSection1; "><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Hi ,<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">My cisco sends to radius it’s ip address, and isakmp-group-id ( or profile name )<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Debug from radius –X :<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> Cisco-AVPair = "isakmp-group-id=CiscoGroup"<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> Acct-Session-Id = "61286"<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> User-Name = "domain\\user"<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> Cisco-AVPair = "connect-progress=No Progress"<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> Acct-Authentic = Local<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> Acct-Status-Type = Start<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> NAS-Port-Type = Virtual<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> NAS-Port = 20<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> NAS-IP-Address = 10.1.1.1<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">How should I configure freeradius to accept request for this group (isakmp-group-id=CiscoGroup ) only for users, that are authenticated against Auth-Type := ntlm_auth_vpn_osw ( already used and working ) ?<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">However other groups ( or profiles ) should be authenticated against Auth-Type := vpn_auth_name<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">I tried this settings in the Users file but It doesn’t work<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">DEFAULT Auth-Type := ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair == " CiscoGroup "<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> Service-Type = Framed-User,<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> Framed-Protocol = PPP,<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">DEFAULT Auth-Type := vpn_auth_name<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> Service-Type = Framed-User,<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> Framed-Protocol = PPP,<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Thanks<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">pet<o:p></o:p></div></div>-<br>List info/subscribe/unsubscribe? See<span class="Apple-converted-space"> </span><a href="http://www.freeradius.org/list/users.html" style="color: blue; text-decoration: underline; ">http://www.freeradius.org/list/users.html</a></div></span></blockquote></div><br><div>
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Arran Cudbard-Bell</div><div><a href="mailto:a.cudbardb@freeradius.org">a.cudbardb@freeradius.org</a></div><div><br></div><div>RADIUS - Half the complexity of Diameter</div></div></span></span>
</div>
<br></body></html>