OK it works fine now with this in the users file:
Robert Auth-Type = LDAP
service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=1"
but it is said in radius.conf not to use Auth-Type = LDAP.
so is there an other solution to add this attributes in reply.
Thomas
> Message du 27/10/06 à 10h27
> De : "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> A : [email protected]
> Copie à :
> Objet : openldap+freeradius+Cisco
>
>Hi,I'm trying to authenticate and authorize Cisco routers administrators But not the autorization (privilege level). so not when i add "aaa authorization exec default group radiusvrf if-authenticated" to the cisco router to be able to manage privileges with radius.to make it work, i think i need to configure Service-Type and cisco-avpair attributes for each user to get the autorization from the cisco router.I want to configure this attributs in freeradius, not in openldap.So, is it possible to add this attributes to a specific user in the raddb/users file after he has been authenticated by ldap ? or i must do it differently ?in raddb/radiusd.conf:> authorize {
> preprocess
> files
> ldap
> }
>
> authenticate {
> Auth-Type PAP {
> pap
> }
> Auth-Type LDAP {
> ldap
> }
> }
I tried with a user and a DEFAULT user:raddb/users:> Robert Service-Type = NAS-Prompt-User
> cisco-avpair = "shell:priv-lvl=1"
>
> DEFAULT Service-Type = NAS-Prompt-User
> cisco-avpair = "shell:priv-lvl=1"
>
but this attributs seem not to be send to the routeur. when ldap is authorize in radiusd.conf, the users file is not check anymore ?Thanks for your helpThomas>
> [ (pas de nom de fichier) (0.1 Ko) ]
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
