OK it works fine now with this in the users file: Robert Auth-Type = LDAP service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=1" but it is said in radius.conf not to use Auth-Type = LDAP. so is there an other solution to add this attributes in reply. Thomas
Message du 27/10/06 à 10h27 De : "jerrrry@voila.fr" A : freeradius-users@lists.freeradius.org Copie à : Objet : openldap+freeradius+Cisco
Hi, I'm trying to authenticate and authorize Cisco routers administrators But not the autorization (privilege level). so not when i add "aaa authorization exec default group radiusvrf if-authenticated" to the cisco router to be able to manage privileges with radius. to make it work, i think i need to configure Service-Type and cisco-avpair attributes for each user to get the autorization from the cisco router. I want to configure this attributs in freeradius, not in openldap. So, is it possible to add this attributes to a specific user in the raddb/users file after he has been authenticated by ldap ? or i must do it differently ? in raddb/radiusd.conf:
authorize { preprocess files ldap }
authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap } } I tried with a user and a DEFAULT user:
raddb/users:
Robert Service-Type = NAS-Prompt-User cisco-avpair = "shell:priv-lvl=1"
DEFAULT Service-Type = NAS-Prompt-User cisco-avpair = "shell:priv-lvl=1"
but this attributs seem not to be send to the routeur. when ldap is authorize in radiusd.conf, the users file is not check anymore ? Thanks for your help Thomas
[ (pas de nom de fichier) (0.1 Ko) ]