> > Cisco-AVpair += "2nd:attribute" > > This is documented in the manpage and docs. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > Thank you, it helped but it still doesn't work as I wished: > > All I need is: > When request comes from 10.1.1.252 and Tunnel-Private-Group-ID = > "Group1", use authentication ntlm_auth_vpn, and send back Cisco-av pairs > (ipsec values) > When request comes from whencesoever and Tunnel-Private-Group-ID is > whatever, use authentication vpn_auth_name ,and that's it > > My current settings is: > > DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252 > , Tunnel-Private-Group-ID == "Group1" > Tunnel-Type = "ESP", > Tunnel-Private-Group-ID = "Group1", > Tunnel-Password = "cisco", > Cisco-Avpair+="ipsec:dns-servers=10.1.1.6 10.1.1.7", > Cisco-Avpair+="ipsec:addr-pool=vpn_pool", > Cisco-Avpair+="ipsec:inacl=101", > Cisco-Avpair+="ipsec:key-exchange=ike", > Cisco-Avpair+="ipsec:key-exchange=preshared-key", > Service-Type = Framed-User, > Framed-Protocol = PPP, > Fall-Through = Yes
You've set Fall-Through here - so your Auth-Type will be overwritten by the 2nd entry: > > > DEFAULT Auth-Type := vpn_auth_name, > Service-Type = Framed-User, > Framed-Protocol = PPP, > Dear Phil , thank you , I removed Fall through parameter, it works partially, when user comes from the address 10.1.1.252 and Tunnel-Private-Group-ID is not Group1, it takes the Auth-Type := ntlm_auth_vpn ( which is wrong ), and not Auth-Type := vpn_auth_name. Therefore there must be two conditions, one is NAS-IP-Address, second is PVT-Group thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html