VPN and Group Policy

Wed Feb 21 14:57:27 CET 2007

Assuming you have your reply table set up properly the following should
work:

id   UserName	Attribute	Value		op
1    test.user	Class 	TestGroup 	==  

I've used this set up for 3 years with both Cisco 3000's and for the
past year with ASA 5000's and it works like a charm. 

-----Original Message-----
From:
freeradius-users-bounces+chris.deramus=hq.doe.gov at lists.freeradius.org
[mailto:freeradius-users-bounces+chris.deramus=hq.doe.gov at lists.freeradi
us.org] On Behalf Of Berndt Sevcik
Sent: Wednesday, February 21, 2007 8:03 AM
To: FreeRadius users mailing list
Subject: VPN and Group Policy

We are using a Cisco ASA Firewall for VPN access (lika a VPN3000).

The RADIUS server should authenticate our users and assign them a group
policy. Somewhere I read that I have to send the CLASS attribute in the
RADIUS reply to assign the grou policy to a user.

When I look at the debug output from the firewall I can see that the
attribut is sent to the firewall. Also the access accept packet is
received by the firewall.

Radius: Code = 2 (0x02)
Radius: Identifier = 17 (0x11)
Radius: Length = 88 (0x0058)
Radius: Vector: 2B9061A9AA15E08DA2F1FACCFFD012F7
Radius: Type = 25 (0x19) Class
Radius: Length = 16 (0x10)
Radius: Value (String) =
4f 55 3d 49 54 2d 53 65 72 76 69 63 65 3b          |  OU=IT-Service;
,,,,,
rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination RADIUS_DELETE remove_req
0xf6d9874 session 0x208 id 17 free_rip 0xf6d9874
radius: send queue empty

Is there an other attribut so send back? Something special to know about
freeRADIUS config? Has someone a working config ore some tipps for me?

Thanks in advance.

Berndt

  -----------------------------------------
  TGM - Die Schule der Technik
  IT-Service
  A-1200 Wien, Wexstr. 19-23
  Tel. +43(1)33126/316 Fax: +43(1)33126/154
  E-Mail: berndt.sevcik at tgm.ac.at
  -----------------------------------------

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html