VPN and Group Policy
Berndt Sevcik
berndt.sevcik at tgm.ac.at
Wed Feb 21 17:57:17 CET 2007
Thanks it works now. The problem was a conflict with attributes of an
other vendor.
Is there a possibility in freeradius to configure a kind of attribute
filter for different clients types. At our special case we would like
to return the Class Attribut to our firewall but the attributes
Tunnel-Private-Group-Id, Filter-Id and Tunnel-Group to our access
points.
The problem was that when we send this attributes to the firewall the
authentication fails. After deleting them everything works perfect.
At the moment the return attributes are saved in the user object in
eDirectory.
Thanks
Berndt
Am 21.02.2007 um 14:57 schrieb Deramus, Chris:
> Assuming you have your reply table set up properly the following
> should
> work:
>
> id UserName Attribute Value op
> 1 test.user Class TestGroup ==
>
> I've used this set up for 3 years with both Cisco 3000's and for the
> past year with ASA 5000's and it works like a charm.
>
> -----Original Message-----
> From:
> freeradius-users-bounces+chris.deramus=hq.doe.gov at lists.freeradius.org
> [mailto:freeradius-users-bounces
> +chris.deramus=hq.doe.gov at lists.freeradi
> us.org] On Behalf Of Berndt Sevcik
> Sent: Wednesday, February 21, 2007 8:03 AM
> To: FreeRadius users mailing list
> Subject: VPN and Group Policy
>
> We are using a Cisco ASA Firewall for VPN access (lika a VPN3000).
>
> The RADIUS server should authenticate our users and assign them a
> group
> policy. Somewhere I read that I have to send the CLASS attribute in
> the
> RADIUS reply to assign the grou policy to a user.
>
> When I look at the debug output from the firewall I can see that the
> attribut is sent to the firewall. Also the access accept packet is
> received by the firewall.
>
> Radius: Code = 2 (0x02)
> Radius: Identifier = 17 (0x11)
> Radius: Length = 88 (0x0058)
> Radius: Vector: 2B9061A9AA15E08DA2F1FACCFFD012F7
> Radius: Type = 25 (0x19) Class
> Radius: Length = 16 (0x10)
> Radius: Value (String) =
> 4f 55 3d 49 54 2d 53 65 72 76 69 63 65 3b | OU=IT-Service;
> ,,,,,
> rad_procpkt: ACCEPT
> RADIUS_ACCESS_ACCEPT: normal termination RADIUS_DELETE remove_req
> 0xf6d9874 session 0x208 id 17 free_rip 0xf6d9874
> radius: send queue empty
>
> Is there an other attribut so send back? Something special to know
> about
> freeRADIUS config? Has someone a working config ore some tipps for me?
>
> Thanks in advance.
>
> Berndt
>
> -----------------------------------------
> TGM - Die Schule der Technik
> IT-Service
> A-1200 Wien, Wexstr. 19-23
> Tel. +43(1)33126/316 Fax: +43(1)33126/154
> E-Mail: berndt.sevcik at tgm.ac.at
> -----------------------------------------
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
> users.html
-----------------------------------------
TGM - Die Schule der Technik
IT-Service
A-1200 Wien, Wexstr. 19-23
Tel. +43(1)33126/316 Fax: +43(1)33126/154
E-Mail: berndt.sevcik at tgm.ac.at
-----------------------------------------
More information about the Freeradius-Users
mailing list