Cisco VPN3005 group auth
I have a Cisco VPN concentrator and am trying to get group authentication working with the FreeRadius server. User authentication works fine but the radius server doesn't seem to care what group the user logs in with. Does anyone have a similar working setup? If I configure the group on the concentrator to be external then the radius server is asked to authenticate the group but not the user. If I configure the group on the concentator to be internal then the group is authenticated on the concentrator and the user is passed to the radius server but there is no matchup between the group and the user. John Sorel Network Engineer Upromise, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Cisco VPN3005 group auth
Just configure the group on the concetrator as external. Then on the freeradius create a user with the same name. IMPORTANT: Use the attribute VPN IPSec-Authentication == 1 if you like to authenticate them through radius. Here are the other possible values: 0=None 1=Radius 2=Ldap 3=NT Domain 4=SDI 5=Internal (on the vpn concentrator) 7=Kerberos/Activedirectory best rgds -Karel -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von John Sorel Gesendet: Mittwoch, 18. Mai 2005 16:19 An: freeradius-users@lists.freeradius.org Betreff: Cisco VPN3005 group auth I have a Cisco VPN concentrator and am trying to get group authentication working with the FreeRadius server. User authentication works fine but the radius server doesn't seem to care what group the user logs in with. Does anyone have a similar working setup? If I configure the group on the concentrator to be external then the radius server is asked to authenticate the group but not the user. If I configure the group on the concentator to be internal then the group is authenticated on the concentrator and the user is passed to the radius server but there is no matchup between the group and the user. John Sorel Network Engineer Upromise, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco VPN3005 group auth
I was able to get both the group and user authenticated on the Radius server now but there is no matching of the user to the group. This user can login using any group, not just the one I want them to use. How does the radius server match / check the user to the group? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN3005 group auth
John Sorel wrote: I was able to get both the group and user authenticated on the Radius server now but there is no matching of the user to the group. This user can login using any group, not just the one I want them to use. How does the radius server match / check the user to the group? Sorry for jumping in late on this, but last information I have is that there is an open bug with Cisco for their VPN concentrators not obeying groups when RADIUS authentication is used. I don't have a TAC case # for this - we got this information at a recent technical summit. HTH, Craig -- / Craig Huckabee| e-mail: [EMAIL PROTECTED] / / Code 715-CH | phone: (843) 218 5653 / / SPAWAR Systems Center | close proximity: Hey You! / / Charleston, SC|ICBM: 32.78N, 79.93W / - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco VPN3005 group auth
On Wed, 18 May 2005, John Sorel wrote: I was able to get both the group and user authenticated on the Radius server now but there is no matching of the user to the group. This user can login using any group, not just the one I want them to use. How does the radius server match / check the user to the group? I believe you can lock them into a group with the class attribute in your reply items. Such as. Class = OU=somegroup.com; I remember it being important that either the OU is in uppercase or the ; is between the s, so try it with both. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco VPN3005 group auth
On Wed, 18 May 2005, Dustin Doris wrote: On Wed, 18 May 2005, John Sorel wrote: I was able to get both the group and user authenticated on the Radius server now but there is no matching of the user to the group. This user can login using any group, not just the one I want them to use. How does the radius server match / check the user to the group? I believe you can lock them into a group with the class attribute in your reply items. Such as. Class = OU=somegroup.com; I remember it being important that either the OU is in uppercase or the ; is between the s, so try it with both. Found my old link about it. http://www.cisco.com/warp/public/471/altigagroup.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html