On Jul 9, 2019, at 3:01 PM, Kees Bakker via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
We have a Cisco for VPN and we have FreeIPA for the user administration. What I want is to only allow users in a FreeIPA group to connect to the VPN. Notice that, as far as FreeRADIUS is concerned FreeIPA is just an LDAP server.
That's good.
So far I am able to connect the radius server to our FreeIPA server. Using the radtest command I can see that authentication works. (I'm not sure about authorization, though.)
RADIUS uses one packet for authentication and authorization.
The Cisco is configured and FreeIPA users can connect to the VPN. However, I haven't figured out how to restrict VPN to only users from a specific group.
Which configuration file do I need to adapt? Where should I be looking?
You need to check LDAP groups. See sites-available/default In the "post-auth" section, add: if (LDAP-Group == "groupname") { update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-ID := "vlan name" } } Alan DeKok.