migrate from Cisco ACS
Thibault Le Meur
Thibault.LeMeur at supelec.fr
Mon Jul 17 19:00:50 CEST 2006
> for example, if, on the current ACS server, i set the host where
> 'radtest' lives to...
>
> "authenticate using" -> "RADIUS (Cisco aironet)",
>
> ...I get back the correct wireless vlan info. If I then set it to
> authenticate using "RADIUS (VPN 3000)", I don't get back the
> vlan info
> but the Cisco-AVPair = "shell:priv-lvl=15" response is present.
The "users" file will help you design such rules.
First you might find useful to group your devices by IP addresses with the
_huntgroup_ file.
Then your rules in "users" might _look_like_:
DEFAULT Huntgroup-Name == Aironet, Ldap-Group == Managers
Tunnel-Private-Group-Id = "100"
DEFAULT Huntgroup-Name == Aironet, Ldap-Group == Users
Tunnel-Private-Group-Id = "101"
DEFAULT Huntgroup-Name == VPN, Ldap-Group == Managers
Tunnel-Private-Group-Id = "shell:priv-lvl=15"
DEFAULT Huntgroup-Name == VPN, Ldap-Group == Users
Tunnel-Private-Group-Id = "shell:priv-lvl=7"
See in the doc/processing_users_file and the samples from the users file in
the distro (first line in check-items, the following are reply
attributes/value pairs).
The doc/aaa.txt file is very valuable as well.
> In addition, I'd like to determine how I can restrict access
> to specific
> groups through specific devices.
>
> I'll be using both ldap and mysql for user info
See doc/rlm_ldap for ldap details.
HTH,
Thibault
More information about the Freeradius-Users
mailing list