Pushing group attribute from OpenDirectory to Cisco
Peter Lambrechtsen
plambrechtsen at gmail.com
Thu Sep 23 22:02:38 CEST 2010
In the "users" file is where you specify the reply attributes in my example.
So using your example:
DEFAULT Huntgroup-Name == CiscoVPN, Ldap-Group ==
"cn=CiscoVPN,ou=Roles,ou=Radius,DC=ACME,DC=COM"
Service-Type = "NAS-Prompt-User",
Idle-Timeout = 600,
Cisco-AVPair =
"webvpn:user-vpn-group=whatevervpngroupyouwanttoaddtheuserto"
Then you can either use the huntgroup file and set the IP addresses of the
Routers (NAS's) you're using: http://wiki.freeradius.org/Huntgroups
Or you can have the Huntgroups in ldap as per my e-mail, and that would be
if you have a more dynamic environment or want to move the NAS between
different huntgroups easily.
On Fri, Sep 24, 2010 at 2:03 AM, Sander van Loosbroek <
sander at vanloosbroek.com> wrote:
> Hello Peter and Alan,
>
> Thank you for your reply. I've given the documentation of Peter a look but
> I'm not that familiar with LDAP or how its underpinnings work in OS X
> Server.
>
> When the Cisco router now authenticates against the FreeRADIUS server all
> works fine except for the fact that the group name is not returned with the
> webvpn:vpn-user-group attribute. What is unclear to me is how I instruct
> FreeRADIUS to include that attribute when it returns the authorization
> message. I have made the following addition to my clients file:
>
> client 192.168.13.1/32 {
> secret = xxx
> shortname = vpn
> nastype = cisco
> }
>
> I have added a policy to the Cisco router to pick up the attribute but it
> doesn't seem to get through. Can you suggest what to try next?
>
> Thanks,
> Sander
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100924/e953640b/attachment.html>
More information about the Freeradius-Users
mailing list