How to configure radius based on the isakmp group profile
Hi , My cisco sends to radius it's ip address, and isakmp-group-id ( or profile name ) Debug from radius -X : Cisco-AVPair = isakmp-group-id=CiscoGroup Acct-Session-Id = 61286 User-Name = domain\\user Cisco-AVPair = connect-progress=No Progress Acct-Authentic = Local Acct-Status-Type = Start NAS-Port-Type = Virtual NAS-Port = 20 NAS-IP-Address = 10.1.1.1 How should I configure freeradius to accept request for this group (isakmp-group-id=CiscoGroup ) only for users, that are authenticated against Auth-Type := ntlm_auth_vpn_osw ( already used and working ) ? However other groups ( or profiles ) should be authenticated against Auth-Type := vpn_auth_name I tried this settings in the Users file but It doesn't work DEFAULT Auth-Type := ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair == CiscoGroup Service-Type = Framed-User, Framed-Protocol = PPP, DEFAULT Auth-Type := vpn_auth_name Service-Type = Framed-User, Framed-Protocol = PPP, Thanks pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure radius based on the isakmp group profile
You're assuming FreeRADIUS will magically strip off the 'isakmp-group-id=' part of the value... AVPairs are Ciscos own invention they are not part of the RADIUS standard. It's difficult to do because the order of AVPairs sometimes changes and the == operator will only check the first instance of the attribute. If you care about it being reliable between Cisco NAS upgrade to 3.0x and i'll send you some unlang policies that deal with Cisco-AVPairs properly. If you don't, you can use the following... authorize { # Comment out files # files # Insert at the end of the authorize section update request { Auth-Type := %{control:Auth-Type} } } post-auth { # Add files.authorize } In the users file change Auth-Type := ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair == CiscoGroup to Auth-Type == ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair == isakmp-group-id=CiscoGroup -Arran On 27 Jul 2011, at 09:52, Jevos, Peter wrote: Hi , My cisco sends to radius it’s ip address, and isakmp-group-id ( or profile name ) Debug from radius –X : Cisco-AVPair = isakmp-group-id=CiscoGroup Acct-Session-Id = 61286 User-Name = domain\\user Cisco-AVPair = connect-progress=No Progress Acct-Authentic = Local Acct-Status-Type = Start NAS-Port-Type = Virtual NAS-Port = 20 NAS-IP-Address = 10.1.1.1 How should I configure freeradius to accept request for this group (isakmp-group-id=CiscoGroup ) only for users, that are authenticated against Auth-Type := ntlm_auth_vpn_osw ( already used and working ) ? However other groups ( or profiles ) should be authenticated against Auth-Type := vpn_auth_name I tried this settings in the Users file but It doesn’t work DEFAULT Auth-Type := ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair == CiscoGroup Service-Type = Framed-User, Framed-Protocol = PPP, DEFAULT Auth-Type := vpn_auth_name Service-Type = Framed-User, Framed-Protocol = PPP, Thanks pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure radius based on the isakmp group profile
Sorry, I made a mistake in the email. My cisco sends to radius it's ip address, and isakmp-group-id ( or profile name ) Debug from radius -X : Cisco-AVPair = isakmp-group-id=CiscoGroup Acct-Session-Id = 61286 User-Name = domain\\user Cisco-AVPair = connect-progress=No Progress Acct-Authentic = Local Acct-Status-Type = Start NAS-Port-Type = Virtual NAS-Port = 20 NAS-IP-Address = 10.1.1.1 How should I configure freeradius to accept request for this group (isakmp-group-id=CiscoGroup ) only for users, that are authenticated against Auth-Type := ntlm_auth_vpn_osw ( already used and working ) ? However other groups ( or profiles ) should be authenticated against Auth-Type := vpn_auth_name I tried this settings in the Users file but It doesn't work DEFAULT Auth-Type := ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair == isakmp-group-id=CiscoGroup Service-Type = Framed-User, Framed-Protocol = PPP, DEFAULT Auth-Type := vpn_auth_name Service-Type = Framed-User, Framed-Protocol = PPP, Thanks pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html