How to configure radius based on the isakmp group profile

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Jul 27 11:10:20 CEST 2011 

You're assuming FreeRADIUS will magically strip off the 'isakmp-group-id=' part of the value... AVPairs are Ciscos own invention they are not part of the RADIUS standard.

It's difficult to do because the order of AVPairs sometimes changes and the == operator will only check the first instance of the attribute.

If you care about it being reliable between Cisco NAS upgrade to 3.0x and i'll send you some unlang policies that deal with Cisco-AVPairs properly. If you don't, you can use the following...

authorize {
	# Comment out files
	# files
	# Insert at the end of the authorize section
	update request {
		Auth-Type := "%{control:Auth-Type}"
	}
}

post-auth {
	# Add 
	files.authorize
}

In the users file change

Auth-Type := ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair == " CiscoGroup "

to

Auth-Type == ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair == "isakmp-group-id=CiscoGroup"

-Arran

On 27 Jul 2011, at 09:52, Jevos, Peter wrote:

> Hi ,
> My cisco sends to radius it’s ip address, and isakmp-group-id ( or profile name )
> Debug from radius –X :
>  
>         Cisco-AVPair = "isakmp-group-id=CiscoGroup"
>          Acct-Session-Id = "61286"
>         User-Name = "domain\\user"
>         Cisco-AVPair = "connect-progress=No Progress"
>         Acct-Authentic = Local
>         Acct-Status-Type = Start
>         NAS-Port-Type = Virtual
>         NAS-Port = 20
>         NAS-IP-Address = 10.1.1.1
>  
> How should I configure freeradius to accept request for this group (isakmp-group-id=CiscoGroup ) only for users, that are authenticated against Auth-Type := ntlm_auth_vpn_osw ( already used and working ) ?
> However other groups ( or profiles ) should be authenticated against Auth-Type := vpn_auth_name
> I tried this settings in the Users file  but It doesn’t work
>  
> DEFAULT          Auth-Type := ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair == " CiscoGroup "
>                             Service-Type = Framed-User,
>                            Framed-Protocol = PPP,
>  
> DEFAULT          Auth-Type := vpn_auth_name
>                            Service-Type = Framed-User,
>                           Framed-Protocol = PPP,
>  
> Thanks
>  
> pet
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Arran Cudbard-Bell
a.cudbardb at freeradius.org

RADIUS - Half the complexity of Diameter

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110727/2ee02ea0/attachment.html>

More information about the Freeradius-Users mailing list