Cisco VPN Server 3000 + Radius + LDAP = heeelp!!
Parham Beheshti
p_beheshti at rasana.net
Tue Sep 9 08:40:34 CEST 2008
this is how we do it:
radius.conf:
get user's group from ldap
users file:
if user is member of groupA assign ip pool1
if user is member of groupB assign ip pool2
here is users file(This is not using ip pools, just limits connection duration and when they can login):
DEFAULT LDAP-Group == "VPN12", Max-Daily-Session :=43200
Fall-Through = Yes
DEFAULT LDAP-GROUP == "VPNSALES", Max-Daily-Session :=7200, Login-Time:="Any0730-0830,Any1630-1730"
Fall-Through = Yes
-----Original Message-----
From: freeradius-users-bounces+p_beheshti=rasana.net at lists.freeradius.org on behalf of Osvaldo Campos M. - Administrador Red STI
Sent: Tue 9/9/2008 2:36 AM
To: FreeRadius users mailing list
Subject: Cisco VPN Server 3000 + Radius + LDAP = heeelp!!
Hi people:
First of all, sorry but my english is not good.
I'm newie in FreeRadius and I am in a hurry with Cisco VPN Server 3000,
FreeRadius and LDAP, to permit vpn user's access.
When vpn users connect (with "Cisco VPN Client"), Radius consult to LDAP
if user exist. If exist, then user can connect to vpn. If not, can't
connect. This works well.
Now, also I should assign IP addresses according to an LDAP attribute.
For example, if attribute==1 assign 10.0.0.10/24, if attribute==2 assign
10.0.0.20/24.
I try to assign IP addresses with "ippool module" and filters in the
"ldap module" in FreeRadius, but it doesn't work.
How can I work with many ippool's according to a value of LDAP
attribute? Where should I ask for the attribute value in order to assign
the corresponding ippool?. Please, help me with that.
My config is something like that:
In the radius.conf file...
ldap vpnldap1 {
server = "x.x.x.x"
identity = "cn=Directory Manager"
password = **********
basedn = "ou=People, dc:blah, dc=cl"
filter = "(&(uid=%u)(attribute=1))"
authtype = ldap
set_asuth_type = yes
}
ldap vpnldap2 {
server = "x.x.x.x"
identity = "cn=Directory Manager"
password = **********
basedn = "ou=People, dc:blah, dc=cl"
filter = "(&(uid=%u)(attribute=2))"
authtype = ldap
set_asuth_type = yes
}
....
authorize {
files
Autz-Type LDAPVPN1 {
vpnldap1
}
Autz-Type LDAPVPN2 {
vpnldap2
}
}
....
authentication {
Auth-Type LDAPVPN1 {
vpnldap1
}
Auth-Type LDAPVPN2 {
vpnldap2
}
}
....
ippool vpnusers1 {
range-start = 10.0.0.10
range-stop = 10.0.0.19
netmask = 255.255.255.0
cache-size = 10
session-db = ${raddbdir}/db.vpnusers1-session
ip-index = ${raddbdir}/db.vpnusers1-index
override = yes
}
....
ippool vpnusers2 {
range-start = 10.0.0.20
range-stop = 10.0.0.29
netmask = 255.255.255.0
cache-size = 10
session-db = ${raddbdir}/db.vpnusers2-session
ip-index = ${raddbdir}/db.vpnusers2-index
override = yes
}
....
In the user file...
(i don`t know how to configure this file to several "Ippool".... I think
that here's the problem)
DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN1, AUTZ-Type
:=LDAPVPN1, Pool-Name :=vpnusers1
DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN2, AUTZ-Type
:=LDAPVPN2, Pool-Name :=vpnusers2
# y.y.y.y= address of VPN Server
In the ldap.attrmap...
checkItem vpnusers1 attribute
checkItem vpnusers2 attribute
Please, help me with this config.
Thank's you...
Osvaldo H. Campos Molina
Administrador de Red
STI - Univ. de Chile
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 4761 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080909/3df1f5fc/attachment.bin>
More information about the Freeradius-Users
mailing list