migrate from Cisco ACS
Phil Mayers
p.mayers at imperial.ac.uk
Mon Jul 17 18:47:21 CEST 2006
Rob Shepherd wrote:
> Dear FreeRADIUS users,
>
> I am a radius newbie.
>
> Please could anybody point me at a ref for migrating from Cisco ACS server.
>
> I'd specifically like to understand how I can get FreeRADIUS to reply to
> my switches,firewalls,VPN and wireless controller with the
> right/appropriate data.
>
> for example, if, on the current ACS server, i set the host where
> 'radtest' lives to...
>
> "authenticate using" -> "RADIUS (Cisco aironet)",
>
> ...I get back the correct wireless vlan info. If I then set it to
> authenticate using "RADIUS (VPN 3000)", I don't get back the vlan info
> but the Cisco-AVPair = "shell:priv-lvl=15" response is present.
>
> In addition, I'd like to determine how I can restrict access to specific
> groups through specific devices.
>
> I'll be using both ldap and mysql for user info
Take a look at doc/Autz-Type. The basic recipe is:
1. Use the "huntgroups" file to group your NASes (e.g. into wireless,
VPN, switches, routers, etc.)
2. In the "users" file, match on Huntgroup-Name and set Autz-Type
3. In the "authorize" section of "radiusd.conf", define a sub-section
for each service, with any modules needed e.g.:
authorize {
# top-level
preprocess
files
# per-service
Autz-Type VPN {
# modules here
}
}
Some care is needed if you need an authentication module twice e.g. if
wireless needs mschap against a domain but VPN needs mschap against
plaintext passwords, but it's relatively easy. The key is to remember
you can have >1 instance of a module (e.g. see the "passwd" modules in
the default radiusd.conf)
More information about the Freeradius-Users
mailing list