VPN and Group Policy

Berndt Sevcik berndt.sevcik at tgm.ac.at
Wed Feb 21 17:57:17 CET 2007


Thanks it works now. The problem was a conflict with attributes of an  
other vendor.

Is there a possibility in freeradius to configure a kind of attribute  
filter for different clients types. At our special case we would like  
to return the Class Attribut to our firewall but the attributes  
Tunnel-Private-Group-Id, Filter-Id and Tunnel-Group to our access  
points.

The problem was that when we send this attributes to the firewall the  
authentication fails. After deleting them everything works perfect.

At the moment the return attributes are saved in the user object in  
eDirectory.

Thanks
Berndt

Am 21.02.2007 um 14:57 schrieb Deramus, Chris:

> Assuming you have your reply table set up properly the following  
> should
> work:
>
> id   UserName	Attribute	Value		op
> 1    test.user	Class 	TestGroup 	==
>
> I've used this set up for 3 years with both Cisco 3000's and for the
> past year with ASA 5000's and it works like a charm.
>
> -----Original Message-----
> From:
> freeradius-users-bounces+chris.deramus=hq.doe.gov at lists.freeradius.org
> [mailto:freeradius-users-bounces 
> +chris.deramus=hq.doe.gov at lists.freeradi
> us.org] On Behalf Of Berndt Sevcik
> Sent: Wednesday, February 21, 2007 8:03 AM
> To: FreeRadius users mailing list
> Subject: VPN and Group Policy
>
> We are using a Cisco ASA Firewall for VPN access (lika a VPN3000).
>
> The RADIUS server should authenticate our users and assign them a  
> group
> policy. Somewhere I read that I have to send the CLASS attribute in  
> the
> RADIUS reply to assign the grou policy to a user.
>
> When I look at the debug output from the firewall I can see that the
> attribut is sent to the firewall. Also the access accept packet is
> received by the firewall.
>
> Radius: Code = 2 (0x02)
> Radius: Identifier = 17 (0x11)
> Radius: Length = 88 (0x0058)
> Radius: Vector: 2B9061A9AA15E08DA2F1FACCFFD012F7
> Radius: Type = 25 (0x19) Class
> Radius: Length = 16 (0x10)
> Radius: Value (String) =
> 4f 55 3d 49 54 2d 53 65 72 76 69 63 65 3b          |  OU=IT-Service;
> ,,,,,
> rad_procpkt: ACCEPT
> RADIUS_ACCESS_ACCEPT: normal termination RADIUS_DELETE remove_req
> 0xf6d9874 session 0x208 id 17 free_rip 0xf6d9874
> radius: send queue empty
>
> Is there an other attribut so send back? Something special to know  
> about
> freeRADIUS config? Has someone a working config ore some tipps for me?
>
> Thanks in advance.
>
> Berndt
>
>   -----------------------------------------
>   TGM - Die Schule der Technik
>   IT-Service
>   A-1200 Wien, Wexstr. 19-23
>   Tel. +43(1)33126/316 Fax: +43(1)33126/154
>   E-Mail: berndt.sevcik at tgm.ac.at
>   -----------------------------------------
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
> users.html

  -----------------------------------------
  TGM - Die Schule der Technik
  IT-Service
  A-1200 Wien, Wexstr. 19-23
  Tel. +43(1)33126/316 Fax: +43(1)33126/154
  E-Mail: berndt.sevcik at tgm.ac.at
  -----------------------------------------





More information about the Freeradius-Users mailing list