Hi folks,
Currently I have a Cisco BAS terminating broadband customers. Most of
our customers would have their PPP connection terminate on the BAS, but
I would like to forward customers who specify a specific realm onto
another BAS for another ISP. My customers are authenitcated using
CHAP off an LDAP server.
I'm trying to configure Free Radius to supply the correct attributes for
tunnels.
I currently have the following config in users:
DEFAULT REALM == "realm", Auth-Type := Accept
Service-Type = Outbound-User,
Tunnel-Type:1 = L2TP,
Tunnel-Medium-Type:1 = IP,
Tunnel-Client-Auth-Id:1 = "DSLIP",
Tunnel-Server-Endpoint:1 = "xxx.xxx.xxx.xxx",
Tunnel-Password:1 = "bookmark",
Fall-Through = No
If I query [EMAIL PROTECTED], I get the correct attributes back. However, if
I query [EMAIL PROTECTED], where user2 has an LDAP entry, I get the following back:
[EMAIL PROTECTED] doc]$ radtest [EMAIL PROTECTED] randomstring xxx.xxx.xxx.xxx 0 key
Sending Access-Request of id 104 to xxx.xxx.xxx.xxx:1812
User-Name = "[EMAIL PROTECTED]"
User-Password = "garbage"
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port = 0
rad_recv: Access-Accept packet from host xxx.xxx.xxx.xxx:1812, id=104, length=101
Tunnel-Type:1 = L2TP
Tunnel-Medium-Type:1 = IP
Tunnel-Client-Auth-Id:1 = "DSLIP"
Tunnel-Server-Endpoint:1 = "xxx.xxx.xxx.xxx"
Tunnel-Password:1 = "bookmark"
Framed-IP-Netmask = 255.255.255.255
Framed-IP-Address = xxx.xxx.xxx.xxx
Framed-Protocol = PPP
Service-Type = Framed-User
I'm pretty certain the Cisco will not do what I want it to with the Framed-User
attribute. In anycase my question - how do I ensure it's just tunnel property
configs that are returned for this realm even if the username exists in the NULL
realm? Am I looking at Autz-Type, or something else?
Thanks,
Thomas Bridge
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
