Cisco VPN Server 3000 + Radius + LDAP = heeelp!!
Leonardo Reginin
leonardo at procergs.rs.gov.br
Tue Sep 9 13:59:14 CEST 2008
If I understood what you need ...
Using Cisco VPN Client, you can define "Groups" in the Cisco
Concentrator ...
Configuration -> User Management -> Groups
... and assign an "Address Pool" to each group. According the Group used
in the Cisco VPN Client, the user will receive an IP addresses from a
different Address Pool.
Create the Group and upon that create the Address Pool
Configuration -> User Management -> Groups -> Address Pools
Best Regards,
Leonardo
Osvaldo Campos M. - Administrador Red STI wrote:
> Hi people:
> First of all, sorry but my english is not good.
>
> I'm newie in FreeRadius and I am in a hurry with Cisco VPN Server
> 3000, FreeRadius and LDAP, to permit vpn user's access.
> When vpn users connect (with "Cisco VPN Client"), Radius consult to
> LDAP if user exist. If exist, then user can connect to vpn. If not,
> can't connect. This works well.
> Now, also I should assign IP addresses according to an LDAP attribute.
> For example, if attribute==1 assign 10.0.0.10/24, if attribute==2
> assign 10.0.0.20/24.
> I try to assign IP addresses with "ippool module" and filters in the
> "ldap module" in FreeRadius, but it doesn't work.
> How can I work with many ippool's according to a value of LDAP
> attribute? Where should I ask for the attribute value in order to
> assign the corresponding ippool?. Please, help me with that.
>
>
> My config is something like that:
> In the radius.conf file...
> ldap vpnldap1 {
> server = "x.x.x.x"
> identity = "cn=Directory Manager"
> password = **********
> basedn = "ou=People, dc:blah, dc=cl"
> filter = "(&(uid=%u)(attribute=1))"
> authtype = ldap
> set_asuth_type = yes
> }
> ldap vpnldap2 {
> server = "x.x.x.x"
> identity = "cn=Directory Manager"
> password = **********
> basedn = "ou=People, dc:blah, dc=cl"
> filter = "(&(uid=%u)(attribute=2))"
> authtype = ldap
> set_asuth_type = yes
> }
> ....
> authorize {
> files
> Autz-Type LDAPVPN1 {
> vpnldap1
> }
> Autz-Type LDAPVPN2 {
> vpnldap2
> }
> }
> ....
> authentication {
> Auth-Type LDAPVPN1 {
> vpnldap1
> }
> Auth-Type LDAPVPN2 {
> vpnldap2
> }
> }
> ....
> ippool vpnusers1 {
> range-start = 10.0.0.10
> range-stop = 10.0.0.19
> netmask = 255.255.255.0
> cache-size = 10
> session-db = ${raddbdir}/db.vpnusers1-session
> ip-index = ${raddbdir}/db.vpnusers1-index
> override = yes
> }
> ....
> ippool vpnusers2 {
> range-start = 10.0.0.20
> range-stop = 10.0.0.29
> netmask = 255.255.255.0
> cache-size = 10
> session-db = ${raddbdir}/db.vpnusers2-session
> ip-index = ${raddbdir}/db.vpnusers2-index
> override = yes
> }
> ....
> In the user file...
> (i don`t know how to configure this file to several "Ippool".... I
> think that here's the problem)
>
> DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN1, AUTZ-Type
> :=LDAPVPN1, Pool-Name :=vpnusers1
> DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN2, AUTZ-Type
> :=LDAPVPN2, Pool-Name :=vpnusers2
> # y.y.y.y= address of VPN Server
>
>
> In the ldap.attrmap...
> checkItem vpnusers1 attribute
> checkItem vpnusers2 attribute
>
> Please, help me with this config.
>
> Thank's you...
>
> Osvaldo H. Campos Molina
> Administrador de Red
> STI - Univ. de Chile
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list