Rob Shepherd wrote:
Dear FreeRADIUS users,
I am a radius newbie.
Please could anybody point me at a ref for migrating from Cisco ACS server.
I'd specifically like to understand how I can get FreeRADIUS to reply to
my switches,firewalls,VPN and wireless controller with the
right/appropriate data.
for example, if, on the current ACS server, i set the host where
'radtest' lives to...
"authenticate using" -> "RADIUS (Cisco aironet)",
...I get back the correct wireless vlan info. If I then set it to
authenticate using "RADIUS (VPN 3000)", I don't get back the vlan info
but the Cisco-AVPair = "shell:priv-lvl=15" response is present.
In addition, I'd like to determine how I can restrict access to specific
groups through specific devices.
I'll be using both ldap and mysql for user info
Take a look at doc/Autz-Type. The basic recipe is:
1. Use the "huntgroups" file to group your NASes (e.g. into wireless,
VPN, switches, routers, etc.)
2. In the "users" file, match on Huntgroup-Name and set Autz-Type
3. In the "authorize" section of "radiusd.conf", define a sub-section
for each service, with any modules needed e.g.:
authorize {
# top-level
preprocess
files
# per-service
Autz-Type VPN {
# modules here
}
}
Some care is needed if you need an authentication module twice e.g. if
wireless needs mschap against a domain but VPN needs mschap against
plaintext passwords, but it's relatively easy. The key is to remember
you can have >1 instance of a module (e.g. see the "passwd" modules in
the default radiusd.conf)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
