Cisco AV Pair
flemingdp at gmail.com
Mon Jul 28 21:12:18 CEST 2014
Reading the documentation I am still at a loss. I am familiar on how to do
this with Cisco ACS, but looking to do it now with free radius. I now have
it working if I check the Cisco-avpair under the user in dalo Radius
(Cisco-avpair =~ .*SSID$) . Is there a way to configure this so i dont have
to keep typing that attribute under every user? I thought the group would
work, but from what you are saying it sounds like it wouldnt. I have tried
saying if it doesnt match the above regex then the Radgroupreply says (
Auth-Typ := Reject)
Thank you for your time.
On Mon, Jul 28, 2014 at 2:15 PM, Alan DeKok <aland at deployingradius.com>
> Dan Fleming wrote:
> > Thank you I have read through it makes sense. So how do I do something
> > based on the results?
> The SQL document talks about "radreply", which lets you do something
> with the results.
> > I would like to only authorize a connection if the
> > users password matches and they are connecting to the correct ssid in
> > the av-pair. Is there a HOWTO or other document outlining how to do
> No. Because that's a specific solution. The documents describe how
> the server works, and lets you put it together yourself.
> For your situation, the key is to understand that the server accepts
> users if their password is correct. If you add more conditional checks,
> the user is still accepted.
> The solution is either to:
> a) set the "known good" password ONLY if the conditions also match. The
> SQL documentation describes how to set conditions
> b) if the password is stored somewhere else (e.g. LDAP), then you need
> to REJECT the user if the conditions match.
> Alan DeKok.
> List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeradius-Users