On Thu, 13 Jan 2005, Costas Christonis wrote: > DD> On Wed, 12 Jan 2005, Costas Christonis wrote: > > >> GC> Hello, > >> > >> GC> Costas Christonis wrote: > >> >> Hi to all, > >> >> i'm trying to set the telnet access to my users through radius and ldap > >> >> server. > >> >> What i did untill now is that everyone tha has the attribute > >> >> "Service-type" with the value "exec-user" can telnet to my cisco > >> >> switches and routers in privilege level 5. > >> >> I insert the attribute "Ciscoavpair" with the value > >> >> "exec:priv-lvl=0" or with the value "exec:privilege-level=0" but > >> >> nothing happens, everyone can telnet to my switches and logon > >> >> privilege level 5. > >> > >> GC> It's called Cisco-AVPair not CiscoAVPair. > >> > >> >> Can anyone help me? > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> Best regards > >> > >> GC> Best Regards, > >> > >> > >> Yes that's correct but in LDAP the attribut is radiusciscovapair anyway > >> is that right? so i don't think tha the problem is that... > >> > > DD> do you have ldap.attrmap setup to map Cisco-AVPAir to radiusciscovapair as > DD> a reply item? > > DD> What are you actually sending back in your reply? Radiusd -X will show > DD> you that. > > DD> - > DD> List info/subscribe/unsubscribe? See > DD> http://www.freeradius.org/list/users.html > > > > Hello Dustin and thanks for your response..... What excactly do i have > to do with the ldap.attrmap? Is there any doc to read about it? Cause > the only thing that i did is to insert the ldap attribute in the account > and to do some tests.... > > >
ldap.attrmap maps radius attributes to ldap attributes for use in check items and reply items. If you read the file, on the top it has a basic explanation. I'll give you an example. Say you have a radius attribute called Cisco-AVPair that you want to send back to the NAS as a reply item. The values for that attribute are located in your ldap directory under the attribute ciscoavpair. For example, you user in ldap would look like this. dn: uid=name,ou=.... ciscoavpair: "some string for cisco" In order to tell radius that you want to send back ciscoavpair from ldap as a radius attribute of Cisco-AVPair, you must use ldap.attrmap. replyItem Cisco-AVPair ciscoavpair - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
