Conditional shell:priv-lvl as login reply on CISCO using client's source net and user's ldap attribute.
Giuseppe Civitella
gcivitella at enter.eu
Mon Jan 15 18:31:28 CET 2018
Il 12/01/2018 17:12, Alan DeKok ha scritto:
> You can do it. But you need to have the query return one object... as the error message tells you.
>
so I fixed my queries.
I used something like
&FreeRADIUS-Client-Secret =
"%{ldap:ldap:///BASEDN?radiusClientSecret?one?(radiusClientIdentifier=%{Packet-Src-IP-Address})}"
instead of
&FreeRADIUS-Client-Secret =
"%{ldap:ldap:///BASEDN?radiusClientSecret,objectClass?one?(radiusClientIdentifier=%{Packet-Src-IP-Address})}"
And I've been able to send the auth request to a virtual server where I
reply a CISCO auth level looking for user's LDAP attributes.
Something like:
if
("%{ldap:ldap://127.0.0.1/BASEDN?objectClass?one?(&(o=ciscoAdminGroup1)(cn=%{User-Name}))}")
{
update reply {
Reply-Message += "Hello ciscoAdminGroup1
member!"
Cisco-AVPair += "shell:priv-lvl=15"
}
I'm not done yet. But wanted to share the result.
Regards,
Giuseppe
More information about the Freeradius-Users
mailing list