Re: help with ldap/checkitem
i STILL don't get the attribute...so clearly i am doing something VERY wrong, is anyone able to send me in the right direction? The users file consists of entries of the form: username|DEFAULT list reply1, reply2 list consists of a comma-separated sequence of *either*: * comparisons against items in the request * setting or re-setting of check items You *cannot* compare against a check item already set by an earlier module or earlier entry in the users file. I suggest you investigate the user of LDAP groups. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: help with ldap/checkitem
I suggest you investigate the user of LDAP groups. thanks for the suggestion, I did that last night and it worked well for me. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help with ldap/checkitem
Hi, I am having some confusing trouble with an LDAP check item. applicable line from ldap attribute file --- checkItem VPNGroupNameclarkuVlan Users file. ## VPN USER CONFIG DEFAULT NAS-Port-Type == Virtual, Framed-Protocol == PPP, Autz-Type := VPN Reply-Message = Welcome %u, to Clark University's network #AUTHORIZED USE ONLY#, Fall-Through = Yes # VPN TEST USER CONFIG DEFAULT VPNGroupName == testing CVPN3000-IPSec-Split-Tunneling-Policy = 1, Filter-Id=itsadmin-filter, CVPN3000-DHCP-Network-Scope = 140.232.2.1, CVPN3000-IPSec-Split-Tunnel-List =itsadmin-routes debug output ... rlm_ldap: checking if remote access for CLARKU\bjulin is allowed by clarkuVpnAccess rlm_ldap: looking for check items in directory... rlm_ldap: Adding clarkuVlan as VPNGroupName, value testing op=21 ... Login OK: [CLARKU\\bjulin] (from client vpn port 176) Sending Access-Accept of id 8 to 10.13.13.1 port 1025 Reply-Message = Welcome CLARKUbjulin, to Clark University's network #AUTHORIZED USE ONLY# Framed-MTU = 576 MS-CHAP2-Success = 0x MS-MPPE-Recv-Key = 0 MS-MPPE-Send-Key = 0 MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 ... so i see it set the check item VPNGroupName to testing, but it never matches in the users file, can anyone point to what i am doing wrong? -- Joe Vieira UNIX Systems Administrator Clark University - ITS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help with ldap/checkitem
Attribute is most likely VPN-Group-Name. Check in the freeradius dictionary. Ivan Kalik Kalik Informatika ISP Dana 9/11/2007, Joe Vieira [EMAIL PROTECTED] piše: Hi, I am having some confusing trouble with an LDAP check item. applicable line from ldap attribute file --- checkItem VPNGroupNameclarkuVlan Users file. ## VPN USER CONFIG DEFAULT NAS-Port-Type == Virtual, Framed-Protocol == PPP, Autz-Type := VPN Reply-Message = Welcome %u, to Clark University's network #AUTHORIZED USE ONLY#, Fall-Through = Yes # VPN TEST USER CONFIG DEFAULT VPNGroupName == testing CVPN3000-IPSec-Split-Tunneling-Policy = 1, Filter-Id=itsadmin-filter, CVPN3000-DHCP-Network-Scope = 140.232.2.1, CVPN3000-IPSec-Split-Tunnel-List =itsadmin-routes debug output rlm_ldap: checking if remote access for CLARKU\bjulin is allowed by clarkuVpnAccess rlm_ldap: looking for check items in directory... rlm_ldap: Adding clarkuVlan as VPNGroupName, value testing op=21 Login OK: [CLARKU\\bjulin] (from client vpn port 176) Sending Access-Accept of id 8 to 10.13.13.1 port 1025 Reply-Message = Welcome CLARKUbjulin, to Clark University's network #AUTHORIZED USE ONLY# Framed-MTU = 576 MS-CHAP2-Success = 0x MS-MPPE-Recv-Key = 0 MS-MPPE-Send-Key = 0 MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 so i see it set the check item VPNGroupName to testing, but it never matches in the users file, can anyone point to what i am doing wrong? -- Joe Vieira UNIX Systems Administrator Clark University - ITS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help with ldap/checkitem
I created the attribute, and i don't get any dictionary errors [EMAIL PROTECTED] raddb]# cat dictionary | grep VPN ATTRIBUTE VPNGroupName3001string Joe Vieira UNIX Systems Administrator Clark University - ITS [EMAIL PROTECTED] wrote: Attribute is most likely VPN-Group-Name. Check in the freeradius dictionary. Ivan Kalik Kalik Informatika ISP Dana 9/11/2007, Joe Vieira [EMAIL PROTECTED] piše: Hi, I am having some confusing trouble with an LDAP check item. applicable line from ldap attribute file --- checkItem VPNGroupNameclarkuVlan Users file. ## VPN USER CONFIG DEFAULT NAS-Port-Type == Virtual, Framed-Protocol == PPP, Autz-Type := VPN Reply-Message = Welcome %u, to Clark University's network #AUTHORIZED USE ONLY#, Fall-Through = Yes # VPN TEST USER CONFIG DEFAULT VPNGroupName == testing CVPN3000-IPSec-Split-Tunneling-Policy = 1, Filter-Id=itsadmin-filter, CVPN3000-DHCP-Network-Scope = 140.232.2.1, CVPN3000-IPSec-Split-Tunnel-List =itsadmin-routes debug output rlm_ldap: checking if remote access for CLARKU\bjulin is allowed by clarkuVpnAccess rlm_ldap: looking for check items in directory... rlm_ldap: Adding clarkuVlan as VPNGroupName, value testing op=21 Login OK: [CLARKU\\bjulin] (from client vpn port 176) Sending Access-Accept of id 8 to 10.13.13.1 port 1025 Reply-Message = Welcome CLARKUbjulin, to Clark University's network #AUTHORIZED USE ONLY# Framed-MTU = 576 MS-CHAP2-Success = 0x MS-MPPE-Recv-Key = 0 MS-MPPE-Send-Key = 0 MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 so i see it set the check item VPNGroupName to testing, but it never matches in the users file, can anyone point to what i am doing wrong? -- Joe Vieira UNIX Systems Administrator Clark University - ITS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help with ldap/checkitem
so a little more info on this if i change DEFAULT VPNGroupName == testing CVPN3000-IPSec-Split-Tunneling-Policy = 1, Filter-Id=itsadmin-filter, CVPN3000-DHCP-Network-Scope = 140.232.2.1, CVPN3000-IPSec-Split-Tunnel-List =itsadmin-routes to DEFAULT VPNGroupName =* testing CVPN3000-IPSec-Split-Tunneling-Policy = 1, Filter-Id=itsadmin-filter, CVPN3000-DHCP-Network-Scope = 140.232.2.1, CVPN3000-IPSec-Split-Tunnel-List =itsadmin-routes i STILL don't get the attribute...so clearly i am doing something VERY wrong, is anyone able to send me in the right direction? Joe Vieira UNIX Systems Administrator Clark University - ITS Joe Vieira wrote: I created the attribute, and i don't get any dictionary errors [EMAIL PROTECTED] raddb]# cat dictionary | grep VPN ATTRIBUTE VPNGroupName3001string Joe Vieira UNIX Systems Administrator Clark University - ITS [EMAIL PROTECTED] wrote: Attribute is most likely VPN-Group-Name. Check in the freeradius dictionary. Ivan Kalik Kalik Informatika ISP Dana 9/11/2007, Joe Vieira [EMAIL PROTECTED] piše: Hi, I am having some confusing trouble with an LDAP check item. applicable line from ldap attribute file --- checkItem VPNGroupNameclarkuVlan Users file. ## VPN USER CONFIG DEFAULT NAS-Port-Type == Virtual, Framed-Protocol == PPP, Autz-Type := VPN Reply-Message = Welcome %u, to Clark University's network #AUTHORIZED USE ONLY#, Fall-Through = Yes # VPN TEST USER CONFIG DEFAULT VPNGroupName == testing CVPN3000-IPSec-Split-Tunneling-Policy = 1, Filter-Id=itsadmin-filter, CVPN3000-DHCP-Network-Scope = 140.232.2.1, CVPN3000-IPSec-Split-Tunnel-List =itsadmin-routes debug output rlm_ldap: checking if remote access for CLARKU\bjulin is allowed by clarkuVpnAccess rlm_ldap: looking for check items in directory... rlm_ldap: Adding clarkuVlan as VPNGroupName, value testing op=21 Login OK: [CLARKU\\bjulin] (from client vpn port 176) Sending Access-Accept of id 8 to 10.13.13.1 port 1025 Reply-Message = Welcome CLARKUbjulin, to Clark University's network #AUTHORIZED USE ONLY# Framed-MTU = 576 MS-CHAP2-Success = 0x MS-MPPE-Recv-Key = 0 MS-MPPE-Send-Key = 0 MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 so i see it set the check item VPNGroupName to testing, but it never matches in the users file, can anyone point to what i am doing wrong? -- Joe Vieira UNIX Systems Administrator Clark University - ITS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help with ldap/checkitem
On Friday 09 November 2007 14:26, Joe Vieira wrote: DEFAULT VPNGroupName == testing CVPN3000-IPSec-Split-Tunneling-Policy = 1, Filter-Id=itsadmin-filter, CVPN3000-DHCP-Network-Scope = 140.232.2.1, CVPN3000-IPSec-Split-Tunnel-List =itsadmin-routes i STILL don't get the attribute... I do this successfully with DEFAULT my-check-item == my-value Zoltan Ori Morehead State University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html