Cisco VPN Server 3000 + Radius + LDAP = heeelp!!
Osvaldo Campos M. - Administrador Red STI
ocampos at sti.uchile.cl
Tue Sep 9 18:26:46 CEST 2008
Thanks for your answer, but I can't use LDAP groups in this case because
I haven'ts groups defined in LDAP according to LDAP "attribute". For
example, I haven't a group "Sales" in LDAP with only users with the
value "attribute=1".
And I need to assign addresses according to the value "attribute" .
Other ideas for this, please??
Thanks...
Osvaldo H. Campos Molina
Administrador de Red
STI - Univ. de Chile
Parham Beheshti escribió:
> this is how we do it:
> radius.conf:
> get user's group from ldap
>
> users file:
> if user is member of groupA assign ip pool1
>
> if user is member of groupB assign ip pool2
>
> here is users file(This is not using ip pools, just limits connection duration and when they can login):
> DEFAULT LDAP-Group == "VPN12", Max-Daily-Session :=43200
> Fall-Through = Yes
>
> DEFAULT LDAP-GROUP == "VPNSALES", Max-Daily-Session :=7200, Login-Time:="Any0730-0830,Any1630-1730"
> Fall-Through = Yes
>
>
>
>
> -----Original Message-----
> From: freeradius-users-bounces+p_beheshti=rasana.net at lists.freeradius.org on behalf of Osvaldo Campos M. - Administrador Red STI
> Sent: Tue 9/9/2008 2:36 AM
> To: FreeRadius users mailing list
> Subject: Cisco VPN Server 3000 + Radius + LDAP = heeelp!!
>
> Hi people:
>
> First of all, sorry but my english is not good.
>
> I'm newie in FreeRadius and I am in a hurry with Cisco VPN Server 3000,
> FreeRadius and LDAP, to permit vpn user's access.
>
> When vpn users connect (with "Cisco VPN Client"), Radius consult to LDAP
> if user exist. If exist, then user can connect to vpn. If not, can't
> connect. This works well.
>
> Now, also I should assign IP addresses according to an LDAP attribute.
> For example, if attribute==1 assign 10.0.0.10/24, if attribute==2 assign
> 10.0.0.20/24.
>
> I try to assign IP addresses with "ippool module" and filters in the
> "ldap module" in FreeRadius, but it doesn't work.
>
> How can I work with many ippool's according to a value of LDAP
> attribute? Where should I ask for the attribute value in order to assign
> the corresponding ippool?. Please, help me with that.
>
>
> My config is something like that:
>
> In the radius.conf file...
> ldap vpnldap1 {
> server = "x.x.x.x"
> identity = "cn=Directory Manager"
> password = **********
> basedn = "ou=People, dc:blah, dc=cl"
> filter = "(&(uid=%u)(attribute=1))"
> authtype = ldap
> set_asuth_type = yes
> }
> ldap vpnldap2 {
> server = "x.x.x.x"
> identity = "cn=Directory Manager"
> password = **********
> basedn = "ou=People, dc:blah, dc=cl"
> filter = "(&(uid=%u)(attribute=2))"
> authtype = ldap
> set_asuth_type = yes
> }
> ....
> authorize {
> files
> Autz-Type LDAPVPN1 {
> vpnldap1
> }
> Autz-Type LDAPVPN2 {
> vpnldap2
> }
> }
> ....
> authentication {
> Auth-Type LDAPVPN1 {
> vpnldap1
> }
> Auth-Type LDAPVPN2 {
> vpnldap2
> }
> }
> ....
> ippool vpnusers1 {
> range-start = 10.0.0.10
> range-stop = 10.0.0.19
> netmask = 255.255.255.0
> cache-size = 10
> session-db = ${raddbdir}/db.vpnusers1-session
> ip-index = ${raddbdir}/db.vpnusers1-index
> override = yes
> }
> ....
> ippool vpnusers2 {
> range-start = 10.0.0.20
> range-stop = 10.0.0.29
> netmask = 255.255.255.0
> cache-size = 10
> session-db = ${raddbdir}/db.vpnusers2-session
> ip-index = ${raddbdir}/db.vpnusers2-index
> override = yes
> }
> ....
> In the user file...
> (i don`t know how to configure this file to several "Ippool".... I think
> that here's the problem)
>
> DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN1, AUTZ-Type
> :=LDAPVPN1, Pool-Name :=vpnusers1
> DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN2, AUTZ-Type
> :=LDAPVPN2, Pool-Name :=vpnusers2
> # y.y.y.y= address of VPN Server
>
>
> In the ldap.attrmap...
> checkItem vpnusers1 attribute
> checkItem vpnusers2 attribute
>
> Please, help me with this config.
>
> Thank's you...
>
> Osvaldo H. Campos Molina
> Administrador de Red
> STI - Univ. de Chile
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list