freeradius and Cisco VPN IPSEC profiles authentication
Jevos, Peter
Peter.Jevos at oriflame.com
Thu Nov 4 16:52:15 CET 2010
>
> Cisco-AVpair += "2nd:attribute"
>
> This is documented in the manpage and docs.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> Thank you, it helped but it still doesn't work as I wished:
>
> All I need is:
> When request comes from 10.1.1.252 and Tunnel-Private-Group-ID =
> "Group1", use authentication ntlm_auth_vpn, and send back Cisco-av
pairs
> (ipsec values)
> When request comes from whencesoever and Tunnel-Private-Group-ID is
> whatever, use authentication vpn_auth_name ,and that's it
>
> My current settings is:
>
> DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address ==
10.1.1.252
> , Tunnel-Private-Group-ID == "Group1"
> Tunnel-Type = "ESP",
> Tunnel-Private-Group-ID = "Group1",
> Tunnel-Password = "cisco",
> Cisco-Avpair+="ipsec:dns-servers=10.1.1.6 10.1.1.7",
> Cisco-Avpair+="ipsec:addr-pool=vpn_pool",
> Cisco-Avpair+="ipsec:inacl=101",
> Cisco-Avpair+="ipsec:key-exchange=ike",
> Cisco-Avpair+="ipsec:key-exchange=preshared-key",
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Fall-Through = Yes
You've set Fall-Through here - so your Auth-Type will be overwritten by
the 2nd entry:
>
>
> DEFAULT Auth-Type := vpn_auth_name,
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
>
Dear Phil , thank you ,
I removed Fall through parameter, it works partially, when user comes
from the address 10.1.1.252 and Tunnel-Private-Group-ID is not Group1,
it takes the Auth-Type := ntlm_auth_vpn ( which is wrong ), and not
Auth-Type := vpn_auth_name.
Therefore there must be two conditions, one is NAS-IP-Address, second is
PVT-Group
thanks
More information about the Freeradius-Users
mailing list