Pushing group attribute from OpenDirectory to Cisco

Alan DeKok aland at deployingradius.com
Mon Sep 20 07:49:52 CEST 2010


Sander van Loosbroek wrote:
> Hello,
> 
> I have successfully set up Freeradius that comes with Mac OS X Server 10.6 to authenticate WebVPN users on a Cisco IOS router. Now I'm trying to parse the webvpn:user-vpn-group attribute to the Cisco so I can set up different WebVPN policies. I run into 2 problems:
> 
> 1) There doesn't seem to be a dictionary for Cisco's Webvpn. There are some for the VPN concentrator series but this are not compatible with Cisco's IOS. Does that mean I have to build my own? The attribute value-pairs are listed here: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/prod_white_paper0900aecd8051ac3a.html

  That page explains how to use those attributes.  They go into the
Cisco-AVPair attribute, just like nearly all of the other Cisco attributes:

	Cisco-AVPair := "webvpn:urllist-name=cisco"

> 2) I can't find out how to connect the group name value from OpenDirectory to an attribute. The rlm_opendirectory module does check for a group (to see if it's allowed to use the Radius service) but it's unclear to me how to grab that value and use it as an attribute.

  You should be able to use LDAP to query OpenDirectory.

  Alan DeKok.



More information about the Freeradius-Users mailing list