cisco vpn authentication, freeradius and best practices
Elizabeth Steinke
liz at twistedpair.cc
Sun Oct 19 18:56:54 CEST 2008
Greetings,
I have a best practices question. I am currently building a freeradius+LVS
cluster to replace an existing radius server. In the process I am trying to
do things as solidly as possible. Part of this process is tidying up the
users file. In the process I noticed a rule that made me a little squishy.
The purpose of the rule is to handle incoming requests from a cisco pix for
VPN authentication. It is supposed to validate it using ntlm_auth. There are
two ntlm_auth definitions in the radiusd.conf. One handles MS-CHAP and one
is for ntlm_auth_plaintext.
I tested this rule with radtest (Making the necessary modifications and it
worked fine.
DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group = "CN=somevpn...", Auth-Type
:= ntlm_auth_plaintext
DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group != "CN=somevpn...", Auth-Type
:= Reject
Is it a good idea to force the auth-type in the users file? is there a
cleaner way to do this?
While rewriting the rules file I am pairing accept and denies as above. Is
that necessary or will it turn out to be horribly inefficient?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081019/3c45f3ef/attachment.html>
More information about the Freeradius-Users
mailing list