Just wanted to let you all know that I got it working with your instructions.
In the end I realized that there were multiple groups associated with each user
and that such a lookup wasn't gonna work anyway. I created single user entries
like this in the users file:
user1 Cleartext-Password := "userpassword"
Service-Type = NAS-Prompt-User,
cisco-avpair =
"webvpn:user-vpn-group=management"
The user has to be active in the OpenDirectory as well for this to work but
this is desired behaviour in my configuration anyway. Now the avpair gets
pushed to the Cisco router and used to select the correct policy in the WebVPN
context. I'm gonna write a blogpost on my full setup on
http://edgetechnology.wordpress.com that explains the full setup for those
interested.
Thank you all for your help.
Sander
On 24 sep 2010, at 12:00, [email protected] wrote:
> Date: Fri, 24 Sep 2010 09:04:34 +0200
> From: Sander van Loosbroek <[email protected]>
> Subject: Re: Freeradius-Users Digest, Vol 65, Issue 105
> To: [email protected]
> Message-ID: <[email protected]>
> Content-Type: text/plain; charset=us-ascii
>
> What I'm trying to do is retrieve the user group from the OpenDirectory
> instead of setting a static one. There is only one NAS and the Mac OS X
> Server runs a standalone OpenDirectory Master so I don't need any huntgroups
> then?
>
> On 24 sep 2010, at 05:42, [email protected] wrote:
>
>> Date: Fri, 24 Sep 2010 08:02:38 +1200
>> From: Peter Lambrechtsen <[email protected]>
>> Subject: Re: Pushing group attribute from OpenDirectory to Cisco
>> To: FreeRadius users mailing list
>> <[email protected]>
>> Message-ID:
>> <[email protected]>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> In the "users" file is where you specify the reply attributes in my example.
>>
>> So using your example:
>>
>> DEFAULT Huntgroup-Name == CiscoVPN, Ldap-Group ==
>> "cn=CiscoVPN,ou=Roles,ou=Radius,DC=ACME,DC=COM"
>> Service-Type = "NAS-Prompt-User",
>> Idle-Timeout = 600,
>> Cisco-AVPair =
>> "webvpn:user-vpn-group=whatevervpngroupyouwanttoaddtheuserto"
>>
>> Then you can either use the huntgroup file and set the IP addresses of the
>> Routers (NAS's) you're using: http://wiki.freeradius.org/Huntgroups
>>
>> Or you can have the Huntgroups in ldap as per my e-mail, and that would be
>> if you have a more dynamic environment or want to move the NAS between
>> different huntgroups easily.
>>
>>
>>
>> On Fri, Sep 24, 2010 at 2:03 AM, Sander van Loosbroek <
>> [email protected]> wrote:
>>
>>> Hello Peter and Alan,
>>>
>>> Thank you for your reply. I've given the documentation of Peter a look but
>>> I'm not that familiar with LDAP or how its underpinnings work in OS X
>>> Server.
>>>
>>> When the Cisco router now authenticates against the FreeRADIUS server all
>>> works fine except for the fact that the group name is not returned with the
>>> webvpn:vpn-user-group attribute. What is unclear to me is how I instruct
>>> FreeRADIUS to include that attribute when it returns the authorization
>>> message. I have made the following addition to my clients file:
>>>
>>> client 192.168.13.1/32 {
>>> secret = xxx
>>> shortname = vpn
>>> nastype = cisco
>>> }
>>>
>>> I have added a policy to the Cisco router to pick up the attribute but it
>>> doesn't seem to get through. Can you suggest what to try next?
>>>
>>> Thanks,
>>> Sander
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
