Hi Osvalo, I had the same problems like you, but I would use a MySQL Database. First: a Cisco VPN300 know 2 different ways to authenticate a user: The Usergroup-- define standard behavior for a user and the User itself wher you can change the behaviors of the group.
It's not possible to create a Group outsite of the VPN-Gateway. In that case, you can only use a group for all Users. Ronald Bruska -------- Original-Nachricht -------- > Datum: Tue, 09 Sep 2008 17:19:16 -0400 > Von: "Osvaldo Campos M. - Administrador Red STI" <[EMAIL PROTECTED]> > An: Leonardo Reginin <[EMAIL PROTECTED]> > CC: FreeRadius users mailing list <[email protected]> > Betreff: Re: Cisco VPN Server 3000 + Radius + LDAP = heeelp!! > Hi... > > Thanks for your answer Leonardo but, if I define the groups in the Cisco > VPN Server, it will be enough with knowing the password of other defined > group's to obtain an address from a group to which I don't really > belong. I.e., if Sale's user know password of Development group, will > can receive an Development address. > > For this reason it is that I should assign the address according to the > value of the attribute LDAP, because this value identifies user's type > and, therefore, the address that should have. > > Other ideas for this, please?? > > Osvaldo H. Campos Molina > Administrador de Red > STI - Univ. de Chile > > > > Leonardo Reginin escribió: > > If I understood what you need ... > > > > Using Cisco VPN Client, you can define "Groups" in the Cisco > > Concentrator ... > > > > Configuration -> User Management -> Groups > > > > ... and assign an "Address Pool" to each group. According the Group > > used in the Cisco VPN Client, the user will receive an IP addresses > > from a different Address Pool. > > > > Create the Group and upon that create the Address Pool > > > > Configuration -> User Management -> Groups -> Address Pools > > > > Best Regards, > > > > Leonardo > > > > Osvaldo Campos M. - Administrador Red STI wrote: > >> Hi people: > >> First of all, sorry but my english is not good. > >> > >> I'm newie in FreeRadius and I am in a hurry with Cisco VPN Server > >> 3000, FreeRadius and LDAP, to permit vpn user's access. > >> When vpn users connect (with "Cisco VPN Client"), Radius consult to > >> LDAP if user exist. If exist, then user can connect to vpn. If not, > >> can't connect. This works well. > >> Now, also I should assign IP addresses according to an LDAP > >> attribute. For example, if attribute==1 assign 10.0.0.10/24, if > >> attribute==2 assign 10.0.0.20/24. > >> I try to assign IP addresses with "ippool module" and filters in the > >> "ldap module" in FreeRadius, but it doesn't work. > >> How can I work with many ippool's according to a value of LDAP > >> attribute? Where should I ask for the attribute value in order to > >> assign the corresponding ippool?. Please, help me with that. > >> > >> > >> My config is something like that: > >> In the radius.conf file... > >> ldap vpnldap1 { > >> server = "x.x.x.x" > >> identity = "cn=Directory Manager" > >> password = ********** > >> basedn = "ou=People, dc:blah, dc=cl" > >> filter = "(&(uid=%u)(attribute=1))" > >> authtype = ldap > >> set_asuth_type = yes > >> } > >> ldap vpnldap2 { > >> server = "x.x.x.x" > >> identity = "cn=Directory Manager" > >> password = ********** > >> basedn = "ou=People, dc:blah, dc=cl" > >> filter = "(&(uid=%u)(attribute=2))" > >> authtype = ldap > >> set_asuth_type = yes > >> } > >> .... > >> authorize { > >> files > >> Autz-Type LDAPVPN1 { > >> vpnldap1 > >> } > >> Autz-Type LDAPVPN2 { > >> vpnldap2 > >> } > >> } > >> .... > >> authentication { > >> Auth-Type LDAPVPN1 { > >> vpnldap1 > >> } > >> Auth-Type LDAPVPN2 { > >> vpnldap2 > >> } > >> } > >> .... > >> ippool vpnusers1 { > >> range-start = 10.0.0.10 > >> range-stop = 10.0.0.19 > >> netmask = 255.255.255.0 > >> cache-size = 10 > >> session-db = ${raddbdir}/db.vpnusers1-session > >> ip-index = ${raddbdir}/db.vpnusers1-index > >> override = yes > >> } > >> .... > >> ippool vpnusers2 { > >> range-start = 10.0.0.20 > >> range-stop = 10.0.0.29 > >> netmask = 255.255.255.0 > >> cache-size = 10 > >> session-db = ${raddbdir}/db.vpnusers2-session > >> ip-index = ${raddbdir}/db.vpnusers2-index > >> override = yes > >> } > >> .... > >> In the user file... > >> (i don`t know how to configure this file to several "Ippool".... I > >> think that here's the problem) > >> > >> DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN1, AUTZ-Type > >> :=LDAPVPN1, Pool-Name :=vpnusers1 > >> DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN2, AUTZ-Type > >> :=LDAPVPN2, Pool-Name :=vpnusers2 > >> # y.y.y.y= address of VPN Server > >> > >> > >> In the ldap.attrmap... > >> checkItem vpnusers1 attribute > >> checkItem vpnusers2 attribute > >> > >> Please, help me with this config. > >> > >> Thank's you... > >> > >> Osvaldo H. Campos Molina > >> Administrador de Red > >> STI - Univ. de Chile > >> > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
