radius filters for ldap searching

Terry J Fike Jr tfike at mtasolutions.com
Thu May 11 19:07:46 CEST 2006



The only way i got this to work, was seperate trees in ldap for each 
group. and then in your default line in your users file put the tree you 
want it to search for the group and nas definition.
> 
> Message: 2
> Date: Thu, 11 May 2006 12:52:47 +0300
> From: Mircea Harapu <mircea.harapu at rcs-rds.ro>
> Subject: radius filters for ldap searching
> To: freeradius-users at lists.freeradius.org
> Message-ID: <4463096F.3010605 at rcs-rds.ro>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> Hello,
> 
> I'm using freeradius 1.0.4 with openldap 2.2.24 to authenticate users on 
> cisco switches.
> Every switch belongs to a specific group and for every user I'm setting 
> the groups he can access. I also use cisco avpairs for level privilege.
> So far , so good!
> The problems occured when I tried to make a user to have different level 
> privileges on different switches .
> This is the profile I'm using :
> 
> # test, radius, isp.ro
> dn: uid=test,ou=radius,dc=isp,dc=ro
> uid: test
> objectClass: radiusprofile
> cn: test
> userPassword:: xxx
> radiusGroupName: bucuresti
> radiusGroupName: valcea
> radiusServiceType: NAS-Prompt-User
> 
> # bucuresti, test, radius, isp.ro
> dn: cn=bucuresti,uid=test,ou=radius,dc=isp,dc=ro
> uid: test
> objectClass: radiusprofile
> userPassword:: xxx
> radiusGroupName: bucuresti
> radiusServiceType: NAS-Prompt-User
> radiusCiscoLevel: "shell:priv-lvl=15"
> cn: bucuresti
> 
> # valcea, test, radius, isp.ro
> dn: cn=valcea,uid=test,ou=radius,dc=isp,dc=ro
> uid: test
> objectClass: radiusprofile
> userPassword:: xxx
> radiusGroupName: valcea
> radiusServiceType: NAS-Prompt-User
> radiusCiscoLevel: "shell:priv-lvl=7"
> cn: valcea
> 
> raddb/users
> # Switch 192.168.50.202
> # Descriere test
> DEFAULT NAS-IP-Address == 192.168.50.202, Ldap-Group == bucuresti
>    Fall-Through = no
> DEFAULT Auth-Type := Reject
> 
> what I need is to filter the ldap search in authorize section based on 
> GroupName and I don't know how.

-- 
Terry J Fike Jr
System Administrator
MTA Solutions
907-793-4100
tfike at mtasolutions.com



More information about the Freeradius-Users mailing list