How to restrict authorization to members of FreeIPA group
Alan DeKok
aland at deployingradius.com
Tue Jul 9 15:05:06 CEST 2019
On Jul 9, 2019, at 3:01 PM, Kees Bakker via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> We have a Cisco for VPN and we have FreeIPA for the user administration.
> What I want is to only allow users in a FreeIPA group to connect to the VPN.
> Notice that, as far as FreeRADIUS is concerned FreeIPA is just an LDAP
> server.
That's good.
> So far I am able to connect the radius server to our FreeIPA server. Using
> the radtest command I can see that authentication works. (I'm not sure
> about authorization, though.)
RADIUS uses one packet for authentication and authorization.
> The Cisco is configured and FreeIPA users can connect to the VPN. However, I
> haven't figured out how to restrict VPN to only users from a specific group.
>
> Which configuration file do I need to adapt? Where should I be looking?
You need to check LDAP groups. See sites-available/default
In the "post-auth" section, add:
if (LDAP-Group == "groupname") {
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-ID := "vlan name"
}
}
Alan DeKok.
More information about the Freeradius-Users
mailing list