subject:"How to configure radius based on the isakmp group profile"

How to configure radius based on the isakmp group profile

2011-07-27 Thread Jevos, Peter

Hi ,
My cisco sends to radius it's ip address, and isakmp-group-id ( or profile name 
)
Debug from radius -X :

Cisco-AVPair = isakmp-group-id=CiscoGroup
 Acct-Session-Id = 61286
User-Name = domain\\user
Cisco-AVPair = connect-progress=No Progress
Acct-Authentic = Local
Acct-Status-Type = Start
NAS-Port-Type = Virtual
NAS-Port = 20
NAS-IP-Address = 10.1.1.1

How should I configure freeradius to accept request for this group 
(isakmp-group-id=CiscoGroup ) only for users, that are authenticated against 
Auth-Type := ntlm_auth_vpn_osw ( already used and working ) ?
However other groups ( or profiles ) should be authenticated against Auth-Type 
:= vpn_auth_name
I tried this settings in the Users file  but It doesn't work

DEFAULT  Auth-Type := ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, 
Cisco-AVPair ==  CiscoGroup 
Service-Type = Framed-User,
   Framed-Protocol = PPP,

DEFAULT  Auth-Type := vpn_auth_name
   Service-Type = Framed-User,
  Framed-Protocol = PPP,

Thanks

pet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure radius based on the isakmp group profile

2011-07-27 Thread Arran Cudbard-Bell

You're assuming FreeRADIUS will magically strip off the 'isakmp-group-id=' part 
of the value... AVPairs are Ciscos own invention they are not part of the 
RADIUS standard.

It's difficult to do because the order of AVPairs sometimes changes and the == 
operator will only check the first instance of the attribute.

If you care about it being reliable between Cisco NAS upgrade to 3.0x and i'll 
send you some unlang policies that deal with Cisco-AVPairs properly. If you 
don't, you can use the following...

authorize {
# Comment out files
# files
# Insert at the end of the authorize section
update request {
Auth-Type := %{control:Auth-Type}
}
}

post-auth {
# Add 
files.authorize
}

In the users file change

Auth-Type := ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair ==  
CiscoGroup 

to

Auth-Type == ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair == 
isakmp-group-id=CiscoGroup

-Arran

On 27 Jul 2011, at 09:52, Jevos, Peter wrote:

 Hi ,
 My cisco sends to radius it’s ip address, and isakmp-group-id ( or profile 
 name )
 Debug from radius –X :
  
 Cisco-AVPair = isakmp-group-id=CiscoGroup
  Acct-Session-Id = 61286
 User-Name = domain\\user
 Cisco-AVPair = connect-progress=No Progress
 Acct-Authentic = Local
 Acct-Status-Type = Start
 NAS-Port-Type = Virtual
 NAS-Port = 20
 NAS-IP-Address = 10.1.1.1
  
 How should I configure freeradius to accept request for this group 
 (isakmp-group-id=CiscoGroup ) only for users, that are authenticated against 
 Auth-Type := ntlm_auth_vpn_osw ( already used and working ) ?
 However other groups ( or profiles ) should be authenticated against 
 Auth-Type := vpn_auth_name
 I tried this settings in the Users file  but It doesn’t work
  
 DEFAULT  Auth-Type := ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, 
 Cisco-AVPair ==  CiscoGroup 
 Service-Type = Framed-User,
Framed-Protocol = PPP,
  
 DEFAULT  Auth-Type := vpn_auth_name
Service-Type = Framed-User,
   Framed-Protocol = PPP,
  
 Thanks
  
 pet
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Arran Cudbard-Bell
a.cudba...@freeradius.org

RADIUS - Half the complexity of Diameter

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to configure radius based on the isakmp group profile

2011-07-27 Thread Jevos, Peter

Sorry, I made a mistake in the email.
My cisco sends to radius it's ip address, and isakmp-group-id ( or profile name 
)
Debug from radius -X :

Cisco-AVPair = isakmp-group-id=CiscoGroup
 Acct-Session-Id = 61286
User-Name = domain\\user
Cisco-AVPair = connect-progress=No Progress
Acct-Authentic = Local
Acct-Status-Type = Start
NAS-Port-Type = Virtual
NAS-Port = 20
NAS-IP-Address = 10.1.1.1

How should I configure freeradius to accept request for this group 
(isakmp-group-id=CiscoGroup ) only for users, that are authenticated against 
Auth-Type := ntlm_auth_vpn_osw ( already used and working ) ?
However other groups ( or profiles ) should be authenticated against Auth-Type 
:= vpn_auth_name
I tried this settings in the Users file  but It doesn't work

DEFAULT  Auth-Type := ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, 
Cisco-AVPair == isakmp-group-id=CiscoGroup
Service-Type = Framed-User,
   Framed-Protocol = PPP,

DEFAULT  Auth-Type := vpn_auth_name
   Service-Type = Framed-User,
  Framed-Protocol = PPP,

Thanks

pet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to configure radius based on the isakmp group profile

Re: How to configure radius based on the isakmp group profile

How to configure radius based on the isakmp group profile

3 matches

Site Navigation

Mail list logo

Footer information