freeradius and Cisco VPN IPSEC profiles authentication

Alan DeKok aland at deployingradius.com
Fri Nov 12 11:38:52 CET 2010


Jevos, Peter wrote:
> Hi Alan, , thanks , I’ve read it but it’s too complicated and I’m
> missing more examples of configurations

  The raddb directory *does* come with examples.

> If anybody help me with the syntax and code location with this issue:

  Sorry, but:

1) the "unlang" documentation contains a detailed description of the
   syntax

2) my previous message gave the *specific* location of where the logic
   should go.

  *PLEASE* read the existing documentation and messages on this list.
Failure to do so is a major reason for not solving issues.

> If requests come from NAS-IP-Address==1.1.1.1 and the
> %{mschap:NT-Domain}=vipdomainuser , check them against module
> ntlm_auth_vip ( module is already working ) and if pass give them
> Cisco-Avpair += "ipsec:addr-pool=vip_vpn_pool" and other optional AVpairs.

  The "unlang" syntax is pretty much exactly that.  It's not that hard.

	if ((NAS-IP-Address == 1.1.1.1) && "%{mschap:NT-Domain}" =
"vipdomainuser")) {
		update control {
			Auth-Type := ntlm_auth_vip
		}
		update reply {
			Cisco-AVPair += "ipsec:addr-pool=vip_vpn_pool"
		}
	}

  Alan DeKok.



More information about the Freeradius-Users mailing list