freeradius and Cisco VPN IPSEC profiles authentication

Alan DeKok aland at
Fri Nov 12 11:38:52 CET 2010

Jevos, Peter wrote:
> Hi Alan, , thanks , I’ve read it but it’s too complicated and I’m
> missing more examples of configurations

  The raddb directory *does* come with examples.

> If anybody help me with the syntax and code location with this issue:

  Sorry, but:

1) the "unlang" documentation contains a detailed description of the

2) my previous message gave the *specific* location of where the logic
   should go.

  *PLEASE* read the existing documentation and messages on this list.
Failure to do so is a major reason for not solving issues.

> If requests come from NAS-IP-Address== and the
> %{mschap:NT-Domain}=vipdomainuser , check them against module
> ntlm_auth_vip ( module is already working ) and if pass give them
> Cisco-Avpair += "ipsec:addr-pool=vip_vpn_pool" and other optional AVpairs.

  The "unlang" syntax is pretty much exactly that.  It's not that hard.

	if ((NAS-IP-Address == && "%{mschap:NT-Domain}" =
"vipdomainuser")) {
		update control {
			Auth-Type := ntlm_auth_vip
		update reply {
			Cisco-AVPair += "ipsec:addr-pool=vip_vpn_pool"

  Alan DeKok.

More information about the Freeradius-Users mailing list