On 11/11/10 15:49, Jevos, Peter wrote:
See "man unlang". Put the logic into raddb/sites-available/default,
the "authorize" section.
Uh... read the debug output, and look at the files in the "raddb"
directory. The directory has more than *one* file. This should be a
hint that the "users" file doesn't solve everything.
Alan DeKok.
Hi Alan, , thanks , I’ve read it but it’s too complicated and I’m missing more examples of configurations
If anybody help me with the syntax and code location with this issue:
If requests come from NAS-IP-Address==1.1.1.1 and the %{mschap:NT-Domain}=vipdomainuser , check them against module ntlm_auth_vip ( module is already working ) and if pass give them Cisco-Avpair += "ipsec:addr-pool=vip_vpn_pool" and other optional AVpairs.
Just add the Cisco-AVPair when you do "if (NAS-IP-Address == ..)" i.e. authorize { if ((NAS-IP-Address == xxx) && (...condition...)) { update control { Auth-Type = ntlm_auth_vip } update reply { Cisco-AVPair += "..." } } } ...then: authenticate { Auth-Type ntlm_auth_vip { ntlm_auth_vip } } ...and, as per the DEFAULT CONFIG! post-auth { ... Post-Auth-Type REJECT { attr_filter.access_reject } } ...the attribute filter in the reject will remove the Cisco-AVPair if the request is rejected.