What I'm trying to do is retrieve the user group from the OpenDirectory instead of setting a static one. There is only one NAS and the Mac OS X Server runs a standalone OpenDirectory Master so I don't need any huntgroups then?
On 24 sep 2010, at 05:42, freeradius-users-requ...@lists.freeradius.org wrote: > Date: Fri, 24 Sep 2010 08:02:38 +1200 > From: Peter Lambrechtsen <plambrecht...@gmail.com> > Subject: Re: Pushing group attribute from OpenDirectory to Cisco > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: > <aanlktik16nrmbb1omrvwcfuhtfknledywvpfs5fyd...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > In the "users" file is where you specify the reply attributes in my example. > > So using your example: > > DEFAULT Huntgroup-Name == CiscoVPN, Ldap-Group == > "cn=CiscoVPN,ou=Roles,ou=Radius,DC=ACME,DC=COM" > Service-Type = "NAS-Prompt-User", > Idle-Timeout = 600, > Cisco-AVPair = > "webvpn:user-vpn-group=whatevervpngroupyouwanttoaddtheuserto" > > Then you can either use the huntgroup file and set the IP addresses of the > Routers (NAS's) you're using: http://wiki.freeradius.org/Huntgroups > > Or you can have the Huntgroups in ldap as per my e-mail, and that would be > if you have a more dynamic environment or want to move the NAS between > different huntgroups easily. > > > > On Fri, Sep 24, 2010 at 2:03 AM, Sander van Loosbroek < > san...@vanloosbroek.com> wrote: > >> Hello Peter and Alan, >> >> Thank you for your reply. I've given the documentation of Peter a look but >> I'm not that familiar with LDAP or how its underpinnings work in OS X >> Server. >> >> When the Cisco router now authenticates against the FreeRADIUS server all >> works fine except for the fact that the group name is not returned with the >> webvpn:vpn-user-group attribute. What is unclear to me is how I instruct >> FreeRADIUS to include that attribute when it returns the authorization >> message. I have made the following addition to my clients file: >> >> client 192.168.13.1/32 { >> secret = xxx >> shortname = vpn >> nastype = cisco >> } >> >> I have added a policy to the Cisco router to pick up the attribute but it >> doesn't seem to get through. Can you suggest what to try next? >> >> Thanks, >> Sander >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html