On 09-07-19 15:05, Alan DeKok wrote:
On Jul 9, 2019, at 3:01 PM, Kees Bakker via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
We have a Cisco for VPN and we have FreeIPA for the user administration. What I want is to only allow users in a FreeIPA group to connect to the VPN. Notice that, as far as FreeRADIUS is concerned FreeIPA is just an LDAP server. That's good.
So far I am able to connect the radius server to our FreeIPA server. Using the radtest command I can see that authentication works. (I'm not sure about authorization, though.) RADIUS uses one packet for authentication and authorization.
The Cisco is configured and FreeIPA users can connect to the VPN. However, I haven't figured out how to restrict VPN to only users from a specific group.
Which configuration file do I need to adapt? Where should I be looking? You need to check LDAP groups. See sites-available/default
In the "post-auth" section, add:
if (LDAP-Group == "groupname") { update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-ID := "vlan name" } }
Thanks for this example. Meanwhile we have found another suggestion which seems to be working. But it remains magic. In sites-available/default we have this authorize { ... ldap if ((ok || updated) && User-Password) { update { control:Auth-Type := ldap } } group_authorization ... In mods-config/preprocess/huntgroups we defined a new huntgroup ourgw NAS-IP-Address == 172.16.16.1 In a new file policy.d/group_authorization we have #--------------------------------------------------------------------------------------- group_authorization { if (&Huntgroup-Name == "ourgw") { if (&LDAP-Group[*] == "cn=vpn_users,cn=groups,cn=accounts,$SUFFIX") { ok } else { update reply { &Reply-Message := "Not authorized for VPN" } reject } } else { update reply { &Reply-Message := "Not authorized for unknown huntgroup" } reject } } #--------------------------------------------------------------------------------------- This is working for us. But I must say that we don't know if the rejects in the else parts are correct. We do have a problem that the Cisco does not look at its local users anymore (if the radius server is present). -- Kees