privacyidea and cisco vpn

[lei xiao]

Cisco's VPN, have different policy-group. Different users belonging to different policy-group.
If use simple authentication ways,i need configuration file /etc/freeradius/users  like this:
CISCO :

access-list TESTUSER_ACL standard permit 192.168.1.0 255.255.255.0
access-list TESTUSER_ACL standard permit 192.168.2.0 255.255.255.0

group-policy TESTUSER-GRP_POLICY internal
group-policy TESTUSER-GRP_POLICY attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TESTUSER_ACL

FREERADIUS :  /etc/freeradius/users

testuser  Password = "test-password"
          User-Server-Type = Login-User
          Class = TESTUSER-GRP_POLICY

But use Privacyidea , Freeradius User configuration line this:
root@ubuntu:/etc/freeradius# cat users 
DEFAULT Auth-Type := Perl

How do i definition of user 'Class' attributes

[Cornelius Kölbel]

Hi Lei,

you can simple extend your existing users file.

If it looks like this at the moment:

testuser Password = "test-password"
User-Server-Type = Login-User
Class = TESTUSER-GRP_POLICY

You can change it to

testuser Auth-Type = Perl

User-Server-Type = Login-User
Class = TESTUSER-GRP_POLICY

In my setup I had to remove the User-Server-Type and had a users entry
like

corny Auth-Type = Perl
Class = TESTUSER-GRP_POLICY

And was able to authenticate like this:

root@puckel:~/TEST# echo "User-Name=corny, Password=rightPassword" | \
radclient -s 127.0.0.1 auth test
Received response ID 246, code 2, length = 69
Reply-Message = "privacyIDEA access granted"
Class = 0x54455354555345522d4752505f504f4c494359

Total approved auths: 1
Total denied auths: 0
Total lost auths: 0


This way you get all the VPs in your response.

Kind regards
Cornelius

> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/919d3c30-41ab-4597-9b52-c7ae480bb091%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

[lei xiao]

I add dictionary.cisco.asa for freeradius.

This file support Cisco ASA Extended Attributes for freeradius.

Configuration file /etc/freeradius/users like this:

root@radius:/etc/freeradius# cat users 

#DEFAULT Auth-Type := Perl

xiaolei        Auth-Type := Perl

                  ASA-Tunnel-Group-Lock := "sslclienttunnel"

I tested this idea is valid.

I'm thinking, ASA-Tunnel-Group-Lock := "REALM"  Feasible?

I tried to modify the script,

/usr/share/privacyidea/freeradius/privacyidea_radius.pm

But i can not modify Perl script...

 

Can you help me?

Thank you!!

在 2015年10月10日星期六 UTC+8下午1:42:22，lei xiao写道：

[Cornelius Kölbel]

I am not sure if I understand you.

Does the file "users" like

#DEFAULT Auth-Type := Perl
xiaolei Auth-Type := Perl
ASA-Tunnel-Group-Lock := "sslclienttunnel"

result in a succesful authentication?

Then you can use the file "users" like this:

DEFAULT Auth-Type := Perl
ASA-Tunnel-Group-Lock = sslclienttunnel

Kind regards
Cornelius

> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/privacyidea/95a52c88-97ee-4212-98ba-9b7d833c296e%40googlegroups.com.