cisco vpn authentication, freeradius and best practices
Alan DeKok
aland at deployingradius.com
Sun Oct 19 20:17:14 CEST 2008
Elizabeth Steinke wrote:
> I tested this rule with radtest (Making the necessary modifications and
> it worked fine.
>
> DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group = "CN=somevpn...",
> Auth-Type := ntlm_auth_plaintext
> DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group != "CN=somevpn...",
> Auth-Type := Reject
Then it's fine.
> Is it a good idea to force the auth-type in the users file? is there a
> cleaner way to do this?
If it works... it's fine.
The big rants about not forcing Auth-Type are because of the people
who force it without understanding the consequences... and then complain
when it doesn't work.
> While rewriting the rules file I am pairing accept and denies as above.
> Is that necessary or will it turn out to be horribly inefficient?
It's good practice. But doing all of those LDAP-Group queries can get
expensive. i.e. you're doing *two* queries instead of one.
You could fix this with "unlang":
if (Huntgroup-Name == "vpn-pix") {
if (LDAP-Group == ...) {
update control {
Auth-Type := ntlm_auth_plaintext
}
}
else {
reject
}
}
Only one LDAP-Group check is more efficient.
Alan DeKok.
More information about the Freeradius-Users
mailing list