Cisco VPN Server 3000 + Radius + LDAP = heeelp!!

tnt at kalik.net tnt at kalik.net
Tue Sep 9 23:22:47 CEST 2008 

Add Pool-Name as check item with operator := to ldap.attrmap. Map it to
something like radiusPool. Add radiusPool to user profile in ldap. Add
value pool1 for radiusPool to those with attribute = 1 ...

Ivan Kalik
Kalik Informatika ISP


Dana 9/9/2008, "Osvaldo Campos M. - Administrador Red STI"
<ocampos at sti.uchile.cl> piše:

>Thanks for your answer, but I can't use LDAP groups in this case because 
>I haven'ts groups defined in LDAP according to LDAP "attribute". For 
>example, I haven't a group "Sales" in LDAP with only users with the 
>value "attribute=1". 
> 
>And I need to assign addresses according to the value "attribute" .
> 
>Other ideas for this, please??
>
>Thanks...
>
>Osvaldo H. Campos Molina
>Administrador de Red
>STI - Univ. de Chile
>
>
>
>Parham Beheshti escribió:
>> this is how we do it:
>> radius.conf:
>> get user's group from ldap
>>
>> users file:
>> if user is member of groupA assign ip pool1
>>
>> if user is member of groupB assign ip pool2
>>
>> here is users file(This is not using ip pools, just limits connection duration and when they can login):
>> DEFAULT LDAP-Group == "VPN12", Max-Daily-Session :=43200
>>         Fall-Through = Yes
>>
>> DEFAULT LDAP-GROUP == "VPNSALES", Max-Daily-Session :=7200, Login-Time:="Any0730-0830,Any1630-1730"
>>         Fall-Through = Yes
>>
>>
>>
>>
>> -----Original Message-----
>> From: freeradius-users-bounces+p_beheshti=rasana.net at lists.freeradius.org on behalf of Osvaldo Campos M. - Administrador Red STI
>> Sent: Tue 9/9/2008 2:36 AM
>> To: FreeRadius users mailing list
>> Subject: Cisco VPN Server 3000 + Radius + LDAP = heeelp!!
>>  
>> Hi people: 
>>
>> First of all, sorry but my english is not good.
>>
>>  I'm newie in FreeRadius and I am in a hurry with Cisco VPN Server 3000, 
>> FreeRadius and LDAP, to permit vpn user's access. 
>>
>> When vpn users connect (with "Cisco VPN Client"), Radius consult to LDAP 
>> if user exist. If exist, then user can connect to vpn. If not, can't 
>> connect. This works well. 
>>
>> Now, also I should assign IP addresses according to an LDAP attribute. 
>> For example, if attribute==1 assign 10.0.0.10/24, if attribute==2 assign 
>> 10.0.0.20/24. 
>>
>> I try to assign IP addresses with "ippool module" and filters in the 
>> "ldap module" in FreeRadius, but it doesn't work. 
>>
>> How can I work with many ippool's according to a value of LDAP 
>> attribute? Where should I ask for the attribute value in order to assign 
>> the corresponding ippool?.  Please, help me with that.
>>
>>
>> My config is something like that: 
>>
>> In the radius.conf file...
>> ldap vpnldap1 {
>>     server = "x.x.x.x"
>>     identity = "cn=Directory Manager"
>>     password = **********
>>     basedn = "ou=People, dc:blah, dc=cl"
>>     filter = "(&(uid=%u)(attribute=1))"
>>     authtype = ldap
>>     set_asuth_type = yes
>> }
>> ldap vpnldap2 {
>>     server = "x.x.x.x"
>>     identity = "cn=Directory Manager"
>>     password = **********
>>     basedn = "ou=People, dc:blah, dc=cl"
>>     filter = "(&(uid=%u)(attribute=2))"
>>     authtype = ldap
>>     set_asuth_type = yes
>> }
>> ....
>> authorize {
>>     files
>>     Autz-Type LDAPVPN1 {
>>         vpnldap1
>>     }
>>     Autz-Type LDAPVPN2 {
>>         vpnldap2
>>     }
>> }
>> ....
>> authentication {
>>     Auth-Type LDAPVPN1 {
>>         vpnldap1
>>     }
>>     Auth-Type LDAPVPN2 {
>>         vpnldap2
>>     }
>> }
>> ....
>> ippool vpnusers1 {
>>     range-start    = 10.0.0.10
>>     range-stop    = 10.0.0.19
>>     netmask        = 255.255.255.0
>>     cache-size    = 10
>>     session-db    = ${raddbdir}/db.vpnusers1-session
>>     ip-index        = ${raddbdir}/db.vpnusers1-index
>>     override        = yes
>> }
>> ....
>> ippool vpnusers2 {
>>     range-start    = 10.0.0.20
>>     range-stop    = 10.0.0.29
>>     netmask        = 255.255.255.0
>>     cache-size    = 10
>>     session-db    = ${raddbdir}/db.vpnusers2-session
>>     ip-index        = ${raddbdir}/db.vpnusers2-index
>>     override        = yes
>> }
>> ....
>> In the user file...
>> (i don`t know how to configure this file to several "Ippool".... I think 
>> that here's the problem)
>>
>> DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN1, AUTZ-Type 
>> :=LDAPVPN1, Pool-Name :=vpnusers1
>> DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN2, AUTZ-Type 
>> :=LDAPVPN2, Pool-Name :=vpnusers2
>> # y.y.y.y= address of VPN Server
>>
>>
>> In the ldap.attrmap...
>> checkItem    vpnusers1    attribute
>> checkItem    vpnusers2    attribute
>>
>> Please, help me with this config.
>>
>> Thank's you...
>>
>> Osvaldo H. Campos Molina
>> Administrador de Red
>> STI - Univ. de Chile
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>   
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

More information about the Freeradius-Users mailing list