Hello, I would like to grant access to network devices based upon group membership. I'm not sure what I am doing wrong. If anyone might have any ideas or could point me to an example that would be great.
The devices are Cisco, the directory server is LDAP v2. the AA server is FreeRADIUS v0.7.1. Almost out of the box settings allows anyone with an account on the LDAP server under People to log into the devices: radiusd.conf- ldap { server = "checkin.fqdn.com" basedn = "dc=fqdn,dc=com" filter = "(uid=%u)" timeout = 4 timelimit = 3 net_timeout = 1 } On the LDAP the username used for testing: dn: uid=cisco,ou=People, dc=fqdn,dc=com mail: [EMAIL PROTECTED] uid: cisco givenName: cisco objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: inetUser objectClass: inetSubscriber objectClass: ipUser objectClass: nsManagedPerson sn: router cn: cisco userPassword: {SSHA}<DELETED>== createtimestamp: 20021116160608Z modifytimestamp: 20021116160608Z parentid: 4 entryid: 20 entrydn: uid=cisco,ou=people,dc=fqdn,dc=com subschemasubentry: cn=schema I don't wan't to allow all users access to log onto the network devices so I create a group on the LDAP server,adding the usernames I'd like to permit access to.: dn: cn=NOC,ou=Groups, dc=fqdn,dc=com objectClass: top objectClass: groupofuniquenames createtimestamp: 20021116161756Z modifytimestamp: 20021116161847Z parentid: 3 entryid: 25 entrydn: cn=noc,ou=groups,dc=fqdn,dc=com cn: NOC description: router admins uniqueMember: uid=cisco,ou=People, dc=fqdn,dc=com uniqueMember: uid=greg,ou=People, dc=fqdn,dc=com subschemasubentry: cn=schema Now I change the radiusd.conf file to: ldap { server = "checkin.fqdn.com" basedn = "cn=noc,ou=groups, dc=fqdn,dc=com" # filter = "(uid=%u,ou=People,dc=fqdn,dc=com)" filter = "(uid=%u)" # filter = "(uniquemember:uid=%u,ou=People,dc=fqdn,dc=com)" # access_group = "cn=noc,ou=groups,dc=fqdn,dc=com" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" timeout = 4 timelimit = 3 net_timeout = 1 } Here is how it fails with the above config: auth: type "LDAP" modcall: entering group authtype rlm_ldap: - authenticate rlm_ldap: login attempt by "cisco" with password "deleted" radius_xlat: '(uid=cisco)' radius_xlat: 'cn=noc,ou=groups, dc=fqdn,dc=com' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to checkin.fqdn.com:389, authentication 0 rlm_ldap: setting TLS mode to 4 rlm_ldap: bind as / to checkin.fqdn.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in cn=noc,ou=groups, dc=fqdn,dc=com, with filter (uid=cisco) rlm_ldap: object not found or got ambiguous search result ldap_release_conn: Release Id: 0 modcall[authenticate]: module "ldap" returns notfound modcall: group authtype returns notfound auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [cisco/deleted] (from client firewall port 66 cli 216.138.246.211) What would I have to do to allow access to the users listed in the NOC group? thx, g - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html