cisco vpn authentication, freeradius and best practices
Elizabeth Steinke
liz at twistedpair.cc
Sun Oct 19 23:03:24 CEST 2008
Fantastic!
Thanks so much. unlang looks pretty interesting. Ill need to do more
reading. Is there a book coming out on freeradius 2 soon? I've gotten alot
of good info from the oreilly freeradius 1 book.
Thanks!
Liz
On Sun, Oct 19, 2008 at 11:17 AM, Alan DeKok <aland at deployingradius.com>wrote:
> Elizabeth Steinke wrote:
> > I tested this rule with radtest (Making the necessary modifications and
> > it worked fine.
> >
> > DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group = "CN=somevpn...",
> > Auth-Type := ntlm_auth_plaintext
> > DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group != "CN=somevpn...",
> > Auth-Type := Reject
>
> Then it's fine.
>
> > Is it a good idea to force the auth-type in the users file? is there a
> > cleaner way to do this?
>
> If it works... it's fine.
>
> The big rants about not forcing Auth-Type are because of the people
> who force it without understanding the consequences... and then complain
> when it doesn't work.
>
> > While rewriting the rules file I am pairing accept and denies as above.
> > Is that necessary or will it turn out to be horribly inefficient?
>
> It's good practice. But doing all of those LDAP-Group queries can get
> expensive. i.e. you're doing *two* queries instead of one.
>
> You could fix this with "unlang":
>
> if (Huntgroup-Name == "vpn-pix") {
> if (LDAP-Group == ...) {
> update control {
> Auth-Type := ntlm_auth_plaintext
> }
> }
> else {
> reject
> }
>
> }
>
> Only one LDAP-Group check is more efficient.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081019/203442f7/attachment.html>
More information about the Freeradius-Users
mailing list