Add Pool-Name as check item with operator := to ldap.attrmap. Map it to
something like radiusPool. Add radiusPool to user profile in ldap. Add
value pool1 for radiusPool to those with attribute = 1 ...
Ivan Kalik
Kalik Informatika ISP
Dana 9/9/2008, "Osvaldo Campos M. - Administrador Red STI"
<[EMAIL PROTECTED]> piše:
>Thanks for your answer, but I can't use LDAP groups in this case because
>I haven'ts groups defined in LDAP according to LDAP "attribute". For
>example, I haven't a group "Sales" in LDAP with only users with the
>value "attribute=1".
>
>And I need to assign addresses according to the value "attribute" .
>
>Other ideas for this, please??
>
>Thanks...
>
>Osvaldo H. Campos Molina
>Administrador de Red
>STI - Univ. de Chile
>
>
>
>Parham Beheshti escribió:
>> this is how we do it:
>> radius.conf:
>> get user's group from ldap
>>
>> users file:
>> if user is member of groupA assign ip pool1
>>
>> if user is member of groupB assign ip pool2
>>
>> here is users file(This is not using ip pools, just limits connection
>> duration and when they can login):
>> DEFAULT LDAP-Group == "VPN12", Max-Daily-Session :=43200
>> Fall-Through = Yes
>>
>> DEFAULT LDAP-GROUP == "VPNSALES", Max-Daily-Session :=7200,
>> Login-Time:="Any0730-0830,Any1630-1730"
>> Fall-Through = Yes
>>
>>
>>
>>
>> -----Original Message-----
>> From: [EMAIL PROTECTED] on behalf of Osvaldo Campos M. - Administrador Red
>> STI
>> Sent: Tue 9/9/2008 2:36 AM
>> To: FreeRadius users mailing list
>> Subject: Cisco VPN Server 3000 + Radius + LDAP = heeelp!!
>>
>> Hi people:
>>
>> First of all, sorry but my english is not good.
>>
>> I'm newie in FreeRadius and I am in a hurry with Cisco VPN Server 3000,
>> FreeRadius and LDAP, to permit vpn user's access.
>>
>> When vpn users connect (with "Cisco VPN Client"), Radius consult to LDAP
>> if user exist. If exist, then user can connect to vpn. If not, can't
>> connect. This works well.
>>
>> Now, also I should assign IP addresses according to an LDAP attribute.
>> For example, if attribute==1 assign 10.0.0.10/24, if attribute==2 assign
>> 10.0.0.20/24.
>>
>> I try to assign IP addresses with "ippool module" and filters in the
>> "ldap module" in FreeRadius, but it doesn't work.
>>
>> How can I work with many ippool's according to a value of LDAP
>> attribute? Where should I ask for the attribute value in order to assign
>> the corresponding ippool?. Please, help me with that.
>>
>>
>> My config is something like that:
>>
>> In the radius.conf file...
>> ldap vpnldap1 {
>> server = "x.x.x.x"
>> identity = "cn=Directory Manager"
>> password = **********
>> basedn = "ou=People, dc:blah, dc=cl"
>> filter = "(&(uid=%u)(attribute=1))"
>> authtype = ldap
>> set_asuth_type = yes
>> }
>> ldap vpnldap2 {
>> server = "x.x.x.x"
>> identity = "cn=Directory Manager"
>> password = **********
>> basedn = "ou=People, dc:blah, dc=cl"
>> filter = "(&(uid=%u)(attribute=2))"
>> authtype = ldap
>> set_asuth_type = yes
>> }
>> ....
>> authorize {
>> files
>> Autz-Type LDAPVPN1 {
>> vpnldap1
>> }
>> Autz-Type LDAPVPN2 {
>> vpnldap2
>> }
>> }
>> ....
>> authentication {
>> Auth-Type LDAPVPN1 {
>> vpnldap1
>> }
>> Auth-Type LDAPVPN2 {
>> vpnldap2
>> }
>> }
>> ....
>> ippool vpnusers1 {
>> range-start = 10.0.0.10
>> range-stop = 10.0.0.19
>> netmask = 255.255.255.0
>> cache-size = 10
>> session-db = ${raddbdir}/db.vpnusers1-session
>> ip-index = ${raddbdir}/db.vpnusers1-index
>> override = yes
>> }
>> ....
>> ippool vpnusers2 {
>> range-start = 10.0.0.20
>> range-stop = 10.0.0.29
>> netmask = 255.255.255.0
>> cache-size = 10
>> session-db = ${raddbdir}/db.vpnusers2-session
>> ip-index = ${raddbdir}/db.vpnusers2-index
>> override = yes
>> }
>> ....
>> In the user file...
>> (i don`t know how to configure this file to several "Ippool".... I think
>> that here's the problem)
>>
>> DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN1, AUTZ-Type
>> :=LDAPVPN1, Pool-Name :=vpnusers1
>> DEFAULT NAS-IP-Address = "y.y.y.y", Auth-Type :=LDAPVPN2, AUTZ-Type
>> :=LDAPVPN2, Pool-Name :=vpnusers2
>> # y.y.y.y= address of VPN Server
>>
>>
>> In the ldap.attrmap...
>> checkItem vpnusers1 attribute
>> checkItem vpnusers2 attribute
>>
>> Please, help me with this config.
>>
>> Thank's you...
>>
>> Osvaldo H. Campos Molina
>> Administrador de Red
>> STI - Univ. de Chile
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
