FreeRadius + Cisco VPN3000 Concentrator + LDAP directory

[Patrice P.]

Anybody do/did this?

especially, howto send back Radius attribute 25 (user group) from a specific 
LDAP attribute to the Cisco VPN 3k through FreeRadius?

My conf:

1. clients.conf:
client 10.0.0.0/8 {
       secret      = test
       shortname   = my-network
}
2. dictionary:
ATTRIBUTE       CVPN-3k-Groups          25      string
3. ldap.attrmap:
replyItem       CVPN-3k-Groups                  ou
4. radiusd.conf:
ldap {
               server = "10.1.1.1"
               identity = "cn=radadmin,ou=roles,dc=compagnie,dc=fr"
               password = radadmin
               basedn = "dc=compagnie,dc=fr"
               filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
               # set this to 'yes' to use TLS encrypted connections
               # to the LDAP database by using the StartTLS extended
               # operation.
               # The StartTLS operation is supposed to be used with normal
               # ldap connections instead of using ldaps (port 689) 
connections
               start_tls = no

               # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
               # profile_attribute = "radiusProfileDn"
               # access_attr = "dialupAccess"
               # Mapping of RADIUS dictionary attributes to LDAP
               # directory attributes.
               dictionary_mapping = ${raddbdir}/ldap.attrmap
               ldap_connections_number = 5
               # password_header = "{clear}"
               # password_attribute = userPassword
               password_attribute = auth-password
               # groupname_attribute = cn
               # groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{Ld
ap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
               # groupmembership_attribute = radiusGroupName
               timeout = 4
               timelimit = 3
               net_timeout = 1
               # compare_check_items = yes
               # access_attr_used_for_allow = yes
       }

5. users:
DEFAULT Auth-Type := LDAP
       Fall-Through = 1
Note that authentication works, but
a) when I add additionnal Radius attribute :
Vendor-Specific=CVPN-3k-Groups
on my NTradping client, I've got the following error on FreeRadius :
WARNING: Malformed RADIUS packet from host 10.22.15.16: Vendor specific 
attributes do not exactly fill Vendor-Specific

a) when I add additionnal Radius attribute :
CVPN-3k-Groups=
on my NTradping client, authentication succeeds but nothing replied by 
freeradius server.

Thanks,
Patrice
_________________________________________________________________
Dialoguez en direct et gratuitement avec vos amis sur 
http://g.msn.fr/FR1001/866 MSN Messenger !

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html