Pushing group attribute from OpenDirectory to Cisco

Sander van Loosbroek sander at vanloosbroek.com
Mon Sep 27 00:37:03 CEST 2010

Just wanted to let you all know that I got it working with your instructions. In the end I realized that there were multiple groups associated with each user and that such a lookup wasn't gonna work anyway. I created single user entries like this in the users file:

user1			Cleartext-Password := "userpassword"
				Service-Type = NAS-Prompt-User,
				cisco-avpair = "webvpn:user-vpn-group=management"

The user has to be active in the OpenDirectory as well for this to work but this is desired behaviour in my configuration anyway. Now the avpair gets pushed to the Cisco router and used to select the correct policy in the WebVPN context. I'm gonna write a blogpost on my full setup on http://edgetechnology.wordpress.com that explains the full setup for those interested.

Thank you all for your help.


On 24 sep 2010, at 12:00, freeradius-users-request at lists.freeradius.org wrote:

> Date: Fri, 24 Sep 2010 09:04:34 +0200
> From: Sander van Loosbroek <sander at vanloosbroek.com>
> Subject: Re: Freeradius-Users Digest, Vol 65, Issue 105
> To: freeradius-users at lists.freeradius.org
> Message-ID: <9C852831-8F4D-4DCF-9A2A-1D6C3D8EDD96 at vanloosbroek.com>
> Content-Type: text/plain; charset=us-ascii
> What I'm trying to do is retrieve the user group from the OpenDirectory instead of setting a static one. There is only one NAS and the Mac OS X Server runs a standalone OpenDirectory Master so I don't need any huntgroups then?
> On 24 sep 2010, at 05:42, freeradius-users-request at lists.freeradius.org wrote:
>> Date: Fri, 24 Sep 2010 08:02:38 +1200
>> From: Peter Lambrechtsen <plambrechtsen at gmail.com>
>> Subject: Re: Pushing group attribute from OpenDirectory to Cisco
>> To: FreeRadius users mailing list
>> 	<freeradius-users at lists.freeradius.org>
>> Message-ID:
>> 	<AANLkTik16Nrmbb1OmrVWcFuhTFKnLEDYwvPFs5FydrbT at mail.gmail.com>
>> Content-Type: text/plain; charset="iso-8859-1"
>> In the "users" file is where you specify the reply attributes in my example.
>> So using your example:
>> DEFAULT Huntgroup-Name == CiscoVPN, Ldap-Group ==
>> "cn=CiscoVPN,ou=Roles,ou=Radius,DC=ACME,DC=COM"
>>       Service-Type = "NAS-Prompt-User",
>>       Idle-Timeout = 600,
>>       Cisco-AVPair =
>> "webvpn:user-vpn-group=whatevervpngroupyouwanttoaddtheuserto"
>> Then you can either use the huntgroup file and set the IP addresses of the
>> Routers (NAS's) you're using: http://wiki.freeradius.org/Huntgroups
>> Or you can have the Huntgroups in ldap as per my e-mail, and that would be
>> if you have a more dynamic environment or want to move the NAS between
>> different huntgroups easily.
>> On Fri, Sep 24, 2010 at 2:03 AM, Sander van Loosbroek <
>> sander at vanloosbroek.com> wrote:
>>> Hello Peter and Alan,
>>> Thank you for your reply. I've given the documentation of Peter a look but
>>> I'm not that familiar with LDAP or how its underpinnings work in OS X
>>> Server.
>>> When the Cisco router now authenticates against the FreeRADIUS server all
>>> works fine except for the fact that the group name is not returned with the
>>> webvpn:vpn-user-group attribute. What is unclear to me is how I instruct
>>> FreeRADIUS to include that attribute when it returns the authorization
>>> message. I have made the following addition to my clients file:
>>> client {
>>>      secret = xxx
>>>      shortname = vpn
>>>      nastype = cisco
>>> }
>>> I have added a policy to the Cisco router to pick up the attribute but it
>>> doesn't seem to get through. Can you suggest what to try next?
>>> Thanks,
>>> Sander
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list