jerrrry at jerrrry at
Fri Oct 27 15:48:02 CEST 2006

OK it works fine now with this in the users file: 

Robert Auth-Type = LDAP
service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=1"

but it is said in radius.conf not to use  Auth-Type = LDAP.
so is there an other solution to add this attributes in reply.


> Message du 27/10/06 à 10h27
> De : "jerrrry at" 
> A : freeradius-users at
> Copie à : 
> Objet : openldap+freeradius+Cisco
I'm trying  to authenticate and authorize Cisco routers administrators But not the autorization (privilege level).  so not when i add  "aaa authorization exec default group radiusvrf if-authenticated" to the cisco router to be able to manage privileges with radius.

to make it work, i think i need to  configure Service-Type and cisco-avpair   attributes for each user  to get the autorization from the cisco router. 
I want to configure this attributs in freeradius, not in openldap.

So, is it possible to add this attributes to a specific user in the raddb/users file after he has been authenticated by ldap ? or i must do it differently ?

in raddb/radiusd.conf: 
> authorize {
> preprocess
> files
> ldap
> }
> authenticate {
> Auth-Type PAP {
> pap
> }
> Auth-Type LDAP {
> ldap
> }
> }
I tried with a user and a DEFAULT user:


> Robert Service-Type = NAS-Prompt-User
> cisco-avpair = "shell:priv-lvl=1"
> DEFAULT Service-Type = NAS-Prompt-User
> cisco-avpair = "shell:priv-lvl=1"
but this attributs seem not to be send to the routeur. when ldap is authorize in radiusd.conf, the users file is not check anymore ?

Thanks for your help

> [ (pas de nom de fichier) (0.1 Ko) ]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list