openldap+freeradius+Cisco
jerrrry at voila.fr
jerrrry at voila.fr
Fri Oct 27 10:18:40 CEST 2006
Hi,
I'm trying to authenticate and authorize Cisco routers administrators But not the autorization (privilege level). so not when i add "aaa authorization exec default group radiusvrf if-authenticated" to the cisco router to be able to manage privileges with radius.
to make it work, i think i need to configure Service-Type and cisco-avpair attributes for each user to get the autorization from the cisco router.
I want to configure this attributs in freeradius, not in openldap.
So, is it possible to add this attributes to a specific user in the raddb/users file after he has been authenticated by ldap ? or i must do it differently ?
in raddb/radiusd.conf:
authorize {
preprocess
files
ldap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
}
I tried with a user and a DEFAULT user:
raddb/users:
Robert Service-Type = NAS-Prompt-User
cisco-avpair = "shell:priv-lvl=1"
DEFAULT Service-Type = NAS-Prompt-User
cisco-avpair = "shell:priv-lvl=1"
but this attributs seem not to be send to the routeur. when ldap is authorize in radiusd.conf, the users file is not check anymore ?
Thanks for your help
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061027/92fb4f86/attachment.html>
More information about the Freeradius-Users
mailing list