Cisco AV Pair

Dan Fleming flemingdp at gmail.com
Tue Jul 29 14:27:11 CEST 2014


Reading the documentation I am still at a loss. I am familiar on how to do
this with Cisco ACS, but looking to do it now with free radius. I now have
it working if I check the Cisco-avpair under the user in dalo Radius
(Cisco-avpair =~ .*SSID$) . Is there a way to configure this so i dont have
to keep typing that attribute under every user? I thought the group would
work, but from what you are saying it sounds like it wouldnt. I have tried
saying if it doesnt match the above regex then the Radgroupreply says (
Auth-Typ := Reject)

Thank you for your time.

Dan


On Mon, Jul 28, 2014 at 2:15 PM, Alan DeKok <aland at deployingradius.com>
wrote:
>
> Dan Fleming wrote:
> > Thank you I have read through it makes sense. So how do I do something
> > based on the results?
>
>   The SQL document talks about "radreply", which lets you do something
> with the results.
>
> > I would like to only authorize a connection if the
> > users password matches and they are connecting to the correct ssid in
> > the av-pair. Is there a HOWTO or other document outlining how to do
that?
>
>   No.  Because that's a specific solution.  The documents describe how
> the server works, and lets you put it together yourself.
>
>   For your situation, the key is to understand that the server accepts
> users if their password is correct.  If you add more conditional checks,
> the user is still accepted.
>
>   The solution is either to:
>
> a) set the "known good" password ONLY if the conditions also match.  The
> SQL documentation describes how to set conditions
>
> b) if the password is stored somewhere else (e.g. LDAP), then you need
> to REJECT the user if the conditions match.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140729/8e87ec3a/attachment.html>


More information about the Freeradius-Users mailing list