Hello,
I'm using freeradius 1.0.4 with openldap 2.2.24 to authenticate users on
cisco switches.
Every switch belongs to a specific group and for every user I'm setting
the groups he can access. I also use cisco avpairs for level privilege.
So far , so good!
The problems occured when I tried to make a user to have different level
privileges on different switches .
This is the profile I'm using :
# test, radius, isp.ro
dn: uid=test,ou=radius,dc=isp,dc=ro
uid: test
objectClass: radiusprofile
cn: test
userPassword:: xxx
radiusGroupName: bucuresti
radiusGroupName: valcea
radiusServiceType: NAS-Prompt-User
# bucuresti, test, radius, isp.ro
dn: cn=bucuresti,uid=test,ou=radius,dc=isp,dc=ro
uid: test
objectClass: radiusprofile
userPassword:: xxx
radiusGroupName: bucuresti
radiusServiceType: NAS-Prompt-User
radiusCiscoLevel: "shell:priv-lvl=15"
cn: bucuresti
# valcea, test, radius, isp.ro
dn: cn=valcea,uid=test,ou=radius,dc=isp,dc=ro
uid: test
objectClass: radiusprofile
userPassword:: xxx
radiusGroupName: valcea
radiusServiceType: NAS-Prompt-User
radiusCiscoLevel: "shell:priv-lvl=7"
cn: valcea
raddb/users
# Switch 192.168.50.202
# Descriere test
DEFAULT NAS-IP-Address == 192.168.50.202, Ldap-Group == bucuresti
Fall-Through = no
DEFAULT Auth-Type := Reject
what I need is to filter the ldap search in authorize section based on
GroupName and I don't know how.
--
................................................................
Mircea Harapu
Abuse Engineer, RDS NOC in Bucharest
t: 021-301.08.50 f: 021-301.08.51
e: [EMAIL PROTECTED] w: www.rdslink.ro
................................................................
Privileged/Confidential Information may be contained in this
message. If you are not the addressee indicated in this message
(or responsible for delivery of the message to such person),
you may not copy or deliver this message to anyone. In such a
case, you should destroy this message and kindly notify the
sender by reply e-mail.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html