openldap+freeradius+Cisco
jerrrry at voila.fr
jerrrry at voila.fr
Fri Oct 27 15:48:02 CEST 2006
OK it works fine now with this in the users file:
Robert Auth-Type = LDAP
service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=1"
but it is said in radius.conf not to use Auth-Type = LDAP.
so is there an other solution to add this attributes in reply.
Thomas
> Message du 27/10/06 à 10h27
> De : "jerrrry at voila.fr"
> A : freeradius-users at lists.freeradius.org
> Copie à :
> Objet : openldap+freeradius+Cisco
>
>
Hi,
I'm trying to authenticate and authorize Cisco routers administrators But not the autorization (privilege level). so not when i add "aaa authorization exec default group radiusvrf if-authenticated" to the cisco router to be able to manage privileges with radius.
to make it work, i think i need to configure Service-Type and cisco-avpair attributes for each user to get the autorization from the cisco router.
I want to configure this attributs in freeradius, not in openldap.
So, is it possible to add this attributes to a specific user in the raddb/users file after he has been authenticated by ldap ? or i must do it differently ?
in raddb/radiusd.conf:
> authorize {
> preprocess
> files
> ldap
> }
>
> authenticate {
> Auth-Type PAP {
> pap
> }
> Auth-Type LDAP {
> ldap
> }
> }
I tried with a user and a DEFAULT user:
raddb/users:
> Robert Service-Type = NAS-Prompt-User
> cisco-avpair = "shell:priv-lvl=1"
>
> DEFAULT Service-Type = NAS-Prompt-User
> cisco-avpair = "shell:priv-lvl=1"
>
but this attributs seem not to be send to the routeur. when ldap is authorize in radiusd.conf, the users file is not check anymore ?
Thanks for your help
Thomas
>
> [ (pas de nom de fichier) (0.1 Ko) ]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061027/450fc401/attachment.html>
More information about the Freeradius-Users
mailing list