On Wed, 1 Dec 2004, [iso-8859-1] Juan Manuel García Carral wrote:
> Hi, > > I am currently running freeradius 0.8.1 with LDAP as backend. It works fine. > I need to upgrade to a later version because I need some features regarding > Autz. > > Certain users have some Cisco ACLs associated in the LDAP tree that are send > to the NAS via Cisco-AVPair attribute. The ACLs have more than one line so > the attribute is multivalued. The attribute is stored in the LDAP entry as > radiusVendorSpecific. > > This works fine for the 0.8.1 release, but when I tested the same > configuration in relases 0.9.0 and 1.0.0 the radius only gives back the > first value of the Cisco-AVPair. The ldap module still gets all the values > but freeradius choose to ignore the rest. > > I read the mail archive and found similar problems in threads: > > "about duplicated attribute in freeradius" > "Multiple cisco-avpair entries" > > where is referenced the use of += operator, which works fine if you are > adding the VSA attributes from the user files, but I am using the LDAP > server. You can do this in ldap too. Just store the values in ldap like this. radiusVendorSpecific: "+= ip:inacl#42=permit tcp any 200.x.c.0.0 0.0.0.255" > > Can you help me ? > > Thanks a lot. > J.M. > > > > rad_recv: Access-Request packet from host 200.x.y.z:36982, id=98, length=69 > User-Name = "adslfilter2" > User-Password = "test123" > NAS-IP-Address = 10.252.8.6 > NAS-Port = 10 > Framed-Protocol = PPP > rlm_ldap: - authorize > rlm_ldap: performing user authorization for adslfilter2 > ldap_get_conn: Got Id: 0 > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: Adding radiusVendorSpecific as Cisco-AVPair, value > ip:inacl#40=permit tcp any 200.x.a.0 0.0.0.255 eq 25 & op=11 > rlm_ldap: Adding radiusVendorSpecific as Cisco-AVPair, value > ip:inacl#41=permit tcp any 200.x.b.0 0.0.0.255 eq 25 & op=11 > rlm_ldap: Adding radiusVendorSpecific as Cisco-AVPair, value > ip:inacl#42=permit tcp any 200.x.c.0.0 0.0.0.255 eq 25 & op=11 > rlm_ldap: Adding radiusVendorSpecific as Cisco-AVPair, value > ip:inacl#50=permit udp any eq 53 any & op=11 > rlm_ldap: user adslfilter2 authorized to use remote access > ldap_release_conn: Release Id: 0 > rlm_ldap: - authenticate > rlm_ldap: login attempt by "adslfilter2" with password "test123" > rlm_ldap: user DN: uid=adslfilter2,ou=organization,ou=users,o=host > rlm_ldap: (re)connect to ldapserver.host.com.ar:389, authentication 1 > rlm_ldap: bind as uid=adslfilter2,ou=organization,ou=users,o=host/test123 to > ldapserver.host.com.ar:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: user adslfilter2 authenticated succesfully > Sending Access-Accept of id 98 to 200.x.y.z:36982 > Service-Type = Framed-User > Framed-Protocol = PPP > Cisco-AVPair = "ip:inacl#40=permit tcp any 200.x.a.0 0.0.0.255 eq > 25" > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
