Pushing group attribute from OpenDirectory to Cisco

Peter Lambrechtsen plambrechtsen at gmail.com
Mon Sep 20 01:47:58 CEST 2010

On Mon, Sep 20, 2010 at 6:46 AM, Sander van Loosbroek <
sander at vanloosbroek.com> wrote:

> Hello,
> I have successfully set up Freeradius that comes with Mac OS X Server 10.6
> to authenticate WebVPN users on a Cisco IOS router. Now I'm trying to parse
> the webvpn:user-vpn-group attribute to the Cisco so I can set up different
> WebVPN policies. I run into 2 problems:
> 1) There doesn't seem to be a dictionary for Cisco's Webvpn. There are some
> for the VPN concentrator series but this are not compatible with Cisco's
> IOS. Does that mean I have to build my own? The attribute value-pairs are
> listed here:
> http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/prod_white_paper0900aecd8051ac3a.html
If you look at:

Looks like it's a standard Cisco AV Pair so:

        Cisco-AVPair = "webvpn:user-vpn-group=vpn1"

Should be what you need to set.

> 2) I can't find out how to connect the group name value from OpenDirectory
> to an attribute. The rlm_opendirectory module does check for a group (to see
> if it's allowed to use the Radius service) but it's unclear to me how to
> grab that value and use it as an attribute.

OpenDirectory is just a standard LDAP directory.  If you follow my previous
Then using a local users file to restrict access based on group membership
should work fine.  You probably won't need to use Huntgroups depending on
how grainular you need to go, so you could use the preprocess to have the
local huntgroups file used too.

> Any thoughts are appreciated.
> Regards,
> Sander
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100920/0c84f325/attachment.html>

More information about the Freeradius-Users mailing list