Cisco VPN Server 3000 + Radius + LDAP = heeelp!!

Tue Sep 9 13:59:14 CEST 2008

If I understood what you need ...

Using Cisco VPN Client, you can define "Groups" in the Cisco 
Concentrator ...

Configuration -> User Management -> Groups

... and assign an "Address Pool" to each group. According the Group used 
in the Cisco VPN Client, the user will receive an IP addresses from a 
different Address Pool.

Create the Group and upon that create the Address Pool

Configuration -> User Management -> Groups -> Address Pools

Best Regards,

Leonardo

Osvaldo Campos M. - Administrador Red STI wrote:
> Hi people:
> First of all, sorry but my english is not good.
>
> I'm newie in FreeRadius and I am in a hurry with Cisco VPN Server 
> 3000, FreeRadius and LDAP, to permit vpn user's access.
> When vpn users connect (with "Cisco VPN Client"), Radius consult to 
> LDAP if user exist. If exist, then user can connect to vpn. If not, 
> can't connect. This works well.
> Now, also I should assign IP addresses according to an LDAP attribute. 
> For example, if attribute==1 assign 10.0.0.10/24, if attribute==2 
> assign 10.0.0.20/24.
> I try to assign IP addresses with "ippool module" and filters in the 
> "ldap module" in FreeRadius, but it doesn't work.
> How can I work with many ippool's according to a value of LDAP 
> attribute? Where should I ask for the attribute value in order to 
> assign the corresponding ippool?.  Please, help me with that.
>
>
> My config is something like that:
> In the radius.conf file...
> ldap vpnldap1 {
>    server = "x.x.x.x"
>    identity = "cn=Directory Manager"
>    password = **********
>    basedn = "ou=People, dc:blah, dc=cl"
>    filter = "(&(uid=%u)(attribute=1))"
>    authtype = ldap
>    set_asuth_type = yes
> }
> ldap vpnldap2 {
>    server = "x.x.x.x"
>    identity = "cn=Directory Manager"
>    password = **********
>    basedn = "ou=People, dc:blah, dc=cl"
>    filter = "(&(uid=%u)(attribute=2))"
>    authtype = ldap
>    set_asuth_type = yes
> }
> ....
> authorize {
>    files
>    Autz-Type LDAPVPN1 {
>        vpnldap1
>    }
>    Autz-Type LDAPVPN2 {
>        vpnldap2
>    }
> }
> ....
> authentication {
>    Auth-Type LDAPVPN1 {
>        vpnldap1
>    }
>    Auth-Type LDAPVPN2 {
>        vpnldap2
>    }
> }
> ....
> ippool vpnusers1 {
>    range-start    = 10.0.0.10
>    range-stop    = 10.0.0.19
>    netmask        = 255.255.255.0
>    cache-size    = 10
>    session-db    = ${raddbdir}/db.vpnusers1-session
>    ip-index        = ${raddbdir}/db.vpnusers1-index
>    override        = yes
> }
> ....
> ippool vpnusers2 {
>    range-start    = 10.0.0.20
>    range-stop    = 10.0.0.29
>    netmask        = 255.255.255.0
>    cache-size    = 10
>    session-db    = ${raddbdir}/db.vpnusers2-session
>    ip-index        = ${raddbdir}/db.vpnusers2-index
>    override        = yes
> }
> ....
> In the user file...
> (i don`t know how to configure this file to several "Ippool".... I 
> think that here's the problem)
>
> DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN1, AUTZ-Type 
> :=LDAPVPN1, Pool-Name :=vpnusers1
> DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN2, AUTZ-Type 
> :=LDAPVPN2, Pool-Name :=vpnusers2
> # y.y.y.y= address of VPN Server
>
>
> In the ldap.attrmap...
> checkItem    vpnusers1    attribute
> checkItem    vpnusers2    attribute
>
> Please, help me with this config.
>
> Thank's you...
>
> Osvaldo H. Campos Molina
> Administrador de Red
> STI - Univ. de Chile
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>