radius filters for ldap searching

Mircea Harapu mircea.harapu at rcs-rds.ro
Thu May 11 11:52:47 CEST 2006


Hello,

I'm using freeradius 1.0.4 with openldap 2.2.24 to authenticate users on 
cisco switches.
Every switch belongs to a specific group and for every user I'm setting 
the groups he can access. I also use cisco avpairs for level privilege.
So far , so good!
The problems occured when I tried to make a user to have different level 
privileges on different switches .
This is the profile I'm using :

# test, radius, isp.ro
dn: uid=test,ou=radius,dc=isp,dc=ro
uid: test
objectClass: radiusprofile
cn: test
userPassword:: xxx
radiusGroupName: bucuresti
radiusGroupName: valcea
radiusServiceType: NAS-Prompt-User

# bucuresti, test, radius, isp.ro
dn: cn=bucuresti,uid=test,ou=radius,dc=isp,dc=ro
uid: test
objectClass: radiusprofile
userPassword:: xxx
radiusGroupName: bucuresti
radiusServiceType: NAS-Prompt-User
radiusCiscoLevel: "shell:priv-lvl=15"
cn: bucuresti

# valcea, test, radius, isp.ro
dn: cn=valcea,uid=test,ou=radius,dc=isp,dc=ro
uid: test
objectClass: radiusprofile
userPassword:: xxx
radiusGroupName: valcea
radiusServiceType: NAS-Prompt-User
radiusCiscoLevel: "shell:priv-lvl=7"
cn: valcea

raddb/users
# Switch 192.168.50.202
# Descriere test
DEFAULT NAS-IP-Address == 192.168.50.202, Ldap-Group == bucuresti
   Fall-Through = no
DEFAULT Auth-Type := Reject

what I need is to filter the ldap search in authorize section based on 
GroupName and I don't know how.
-- 
................................................................
Mircea Harapu
Abuse Engineer, RDS NOC in Bucharest
t: 021-301.08.50                    f: 021-301.08.51
e: mircea.harapu at rcs-rds.ro          w: www.rdslink.ro
................................................................
Privileged/Confidential Information may be contained in this
message. If you are not the addressee indicated in this message
(or responsible for delivery of the message to such person),
you may not copy or deliver this message to anyone. In such a
case, you should destroy this message and kindly notify the
sender by reply e-mail.




More information about the Freeradius-Users mailing list