Re: Cisco AV-PAIRS
Thanks for the info so far. Is there a howto on getting this to work? Questions I still have on this are. 1) Do I need to extend my Schema to include Cisco-AV-Pair if so is there an example I can copy 2) What is the exact line that I need to add to my ldap.attrmap file to then refer to that Can this then be expanded to Group Memberships? The situation I want is for User David, who is a member of the Edge_Router group to have full access to the routers for that group, while having, say, level 6 access to the core routers from membership of the Core_Router group Thanks for any further help David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
Hi David, Have you tried putting \n to see if that puts a line break into the response? Whether the RADIUS client will barf on that is another matter ;-) Rgds, Guy On 20/02/2008, David W Bell [EMAIL PROTECTED] wrote: David W Bell wrote: Thanks for the info so far. Is there a howto on getting this to work? Questions I still have on this are. 1) Do I need to extend my Schema to include Cisco-AV-Pair if so is there an example I can copy 2) What is the exact line that I need to add to my ldap.attrmap file to then refer to that Can this then be expanded to Group Memberships? The situation I want is for User David, who is a member of the Edge_Router group to have full access to the routers for that group, while having, say, level 6 access to the core routers from membership of the Core_Router group Thanks for any further help David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Seem to have managed to get a bit further. Is there any way of adding a line-break to a Radius-Reply string? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
yep - tried that :) Hi David, Have you tried putting \n to see if that puts a line break into the response? Whether the RADIUS client will barf on that is another matter ;-) Rgds, Guy On 20/02/2008, David W Bell [EMAIL PROTECTED] wrote: David W Bell wrote: Thanks for the info so far. Is there a howto on getting this to work? Questions I still have on this are. 1) Do I need to extend my Schema to include Cisco-AV-Pair if so is there an example I can copy 2) What is the exact line that I need to add to my ldap.attrmap file to then refer to that Can this then be expanded to Group Memberships? The situation I want is for User David, who is a member of the Edge_Router group to have full access to the routers for that group, while having, say, level 6 access to the core routers from membership of the Core_Router group Thanks for any further help David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Seem to have managed to get a bit further. Is there any way of adding a line-break to a Radius-Reply string? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
David W Bell wrote: Thanks for the info so far. Is there a howto on getting this to work? Questions I still have on this are. 1) Do I need to extend my Schema to include Cisco-AV-Pair if so is there an example I can copy 2) What is the exact line that I need to add to my ldap.attrmap file to then refer to that Can this then be expanded to Group Memberships? The situation I want is for User David, who is a member of the Edge_Router group to have full access to the routers for that group, while having, say, level 6 access to the core routers from membership of the Core_Router group Thanks for any further help David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Seem to have managed to get a bit further. Is there any way of adding a line-break to a Radius-Reply string? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
You most likely want operator += to add multiple attributes with the same name. http://wiki.freeradius.org/Operators Ivan Kalik Kalik Informatika ISP Dana 20/2/2008, David W Bell [EMAIL PROTECTED] piše: yep - tried that :) Hi David, Have you tried putting \n to see if that puts a line break into the response? Whether the RADIUS client will barf on that is another matter ;-) Rgds, Guy On 20/02/2008, David W Bell [EMAIL PROTECTED] wrote: David W Bell wrote: Thanks for the info so far. Is there a howto on getting this to work? Questions I still have on this are. 1) Do I need to extend my Schema to include Cisco-AV-Pair if so is there an example I can copy 2) What is the exact line that I need to add to my ldap.attrmap file to then refer to that Can this then be expanded to Group Memberships? The situation I want is for User David, who is a member of the Edge_Router group to have full access to the routers for that group, while having, say, level 6 access to the core routers from membership of the Core_Router group Thanks for any further help David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Seem to have managed to get a bit further. Is there any way of adding a line-break to a Radius-Reply string? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
That is what I am doing, however they append to the current line, I would like to put a linebreak at the end of each one to make them flow properly David You most likely want operator += to add multiple attributes with the same name. http://wiki.freeradius.org/Operators Ivan Kalik Kalik Informatika ISP Dana 20/2/2008, David W Bell [EMAIL PROTECTED] piše: yep - tried that :) Hi David, Have you tried putting \n to see if that puts a line break into the response? Whether the RADIUS client will barf on that is another matter ;-) Rgds, Guy On 20/02/2008, David W Bell [EMAIL PROTECTED] wrote: David W Bell wrote: Thanks for the info so far. Is there a howto on getting this to work? Questions I still have on this are. 1) Do I need to extend my Schema to include Cisco-AV-Pair if so is there an example I can copy 2) What is the exact line that I need to add to my ldap.attrmap file to then refer to that Can this then be expanded to Group Memberships? The situation I want is for User David, who is a member of the Edge_Router group to have full access to the routers for that group, while having, say, level 6 access to the core routers from membership of the Core_Router group Thanks for any further help David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Seem to have managed to get a bit further. Is there any way of adding a line-break to a Radius-Reply string? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
David W Bell wrote: That is what I am doing, however they append to the current line, I would like to put a linebreak at the end of each one to make them flow properly Can you say what you have configured, and what the server sends? i.e. DEBUG output? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
And why do you have password in two locations? If you store it in Ldap you don't need it in users file and vice versa. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, David W Bell [EMAIL PROTECTED] piše: Hi there. My Saga continues I have freeRADIUS working with openLDAP and can log into CISCO kit and pass the priv-level from the raddb/users file. Is there any way that this information can be passed from the openLDAP user details instead? I am looking to do a single-signon system and it seems a little awkward to have to change a password (as is required in the users file) in 2 locations. Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
I was wondering the same thing :-) On the subject of getting the attributes from LDAP, the Cisco AV pairs are just another AV Pair. Sure, Cisco have broken their AVs up with sub-AVs, but it's still just passing a value back from LDAP and manipulating the format so that it is placed correctly into the correct AV. The priv-level (as you have clearly worked out) is presented as... Cisco-AV-Pair=priv-level=value value = 0 to 15 If you have an attribute in your LDAP schema that is called Cisco-AV-Pair and it contains the string priv-level=15, then you should be able to return that attribute and map it to the contents of the Cisco-AV-Pair RADIUS attribute. I don't *think* it's any different to mapping any other string based AV Pair. Rgds, Guy On 19/02/2008, Ivan Kalik [EMAIL PROTECTED] wrote: And why do you have password in two locations? If you store it in Ldap you don't need it in users file and vice versa. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, David W Bell [EMAIL PROTECTED] piše: Hi there. My Saga continues I have freeRADIUS working with openLDAP and can log into CISCO kit and pass the priv-level from the raddb/users file. Is there any way that this information can be passed from the openLDAP user details instead? I am looking to do a single-signon system and it seems a little awkward to have to change a password (as is required in the users file) in 2 locations. Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
Only way I have found to get RADIUS to pass the AV-PAIRS back is from the users file. If I have missed something, please let me know David And why do you have password in two locations? If you store it in Ldap you don't need it in users file and vice versa. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, David W Bell [EMAIL PROTECTED] piše: Hi there. My Saga continues I have freeRADIUS working with openLDAP and can log into CISCO kit and pass the priv-level from the raddb/users file. Is there any way that this information can be passed from the openLDAP user details instead? I am looking to do a single-signon system and it seems a little awkward to have to change a password (as is required in the users file) in 2 locations. Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
Password is a check item. It has nothing to do with what's in the reply (av-pairs are reply items). Just remove the password and it will still work the same. You *can* leave the check line blank in users file. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, David W Bell [EMAIL PROTECTED] piše: Only way I have found to get RADIUS to pass the AV-PAIRS back is from the users file. If I have missed something, please let me know David And why do you have password in two locations? If you store it in Ldap you don't need it in users file and vice versa. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, David W Bell [EMAIL PROTECTED] piše: Hi there. My Saga continues I have freeRADIUS working with openLDAP and can log into CISCO kit and pass the priv-level from the raddb/users file. Is there any way that this information can be passed from the openLDAP user details instead? I am looking to do a single-signon system and it seems a little awkward to have to change a password (as is required in the users file) in 2 locations. Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
David W Bell escribió: Only way I have found to get RADIUS to pass the AV-PAIRS back is from the users file. Try using Reply-items in ldap.attrmap. Or the users file without authenticating users against it. If I have missed something, please let me know David And why do you have password in two locations? If you store it in Ldap you don't need it in users file and vice versa. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, David W Bell [EMAIL PROTECTED] piše: Hi there. My Saga continues I have freeRADIUS working with openLDAP and can log into CISCO kit and pass the priv-level from the raddb/users file. Is there any way that this information can be passed from the openLDAP user details instead? I am looking to do a single-signon system and it seems a little awkward to have to change a password (as is required in the users file) in 2 locations. Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco-AV-Pairs
Yes, Like in: Cisco-AVPair += ip:inacl#09=deny udp any any eq 1234 Cisco-AVPair += ip:inacl#71=permit tcp host 1.2.3.4 5.6.7.0 0.0.0.255 Kind regards, Nico Baggus - ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html