Privacyidea and cisco vpn

lei_xiao · October 10, 2015, 5:42am

Cisco’s VPN, have different policy-group. Different users belonging to different policy-group.
If use simple authentication ways,i need configuration file /etc/freeradius/users like this:
CISCO :

access-list TESTUSER_ACL standard permit 192.168.1.0 255.255.255.0
access-list TESTUSER_ACL standard permit 192.168.2.0 255.255.255.0

group-policy TESTUSER-GRP_POLICY internal
group-policy TESTUSER-GRP_POLICY attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TESTUSER_ACL

FREERADIUS : /etc/freeradius/users

testuser Password = "test-password"
User-Server-Type = Login-User
Class = TESTUSER-GRP_POLICY

But use Privacyidea , Freeradius User configuration line this:
root@ubuntu:/etc/freeradius# cat users
DEFAULT Auth-Type := Perl

How do i definition of user ‘Class’ attributes

cornelinux · October 10, 2015, 8:31am

Hi Lei,

you can simple extend your existing users file.

If it looks like this at the moment:

testuser Password = “test-password”
User-Server-Type = Login-User
Class = TESTUSER-GRP_POLICY

You can change it to

testuser Auth-Type = Perl
User-Server-Type = Login-User
Class = TESTUSER-GRP_POLICY

In my setup I had to remove the User-Server-Type and had a users entry
like

corny Auth-Type = Perl
Class = TESTUSER-GRP_POLICY

And was able to authenticate like this:

root@puckel:~/TEST# echo “User-Name=corny, Password=rightPassword” |
radclient -s 127.0.0.1 auth test
Received response ID 246, code 2, length = 69
Reply-Message = “privacyIDEA access granted”
Class = 0x54455354555345522d4752505f504f4c494359

   Total approved auths:  1
     Total denied auths:  0
       Total lost auths:  0

This way you get all the VPs in your response.

Kind regards
CorneliusAm Freitag, den 09.10.2015, 22:42 -0700 schrieb lei xiao:

Cisco’s VPN, have different policy-group. Different users belonging to different policy-group.
If use simple authentication ways,i need configuration file /etc/freeradius/users like this:
CISCO :

access-list TESTUSER_ACL standard permit 192.168.1.0 255.255.255.0
access-list TESTUSER_ACL standard permit 192.168.2.0 255.255.255.0

group-policy TESTUSER-GRP_POLICY internal
group-policy TESTUSER-GRP_POLICY attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TESTUSER_ACL

FREERADIUS : /etc/freeradius/users

testuser Password = “test-password”
User-Server-Type = Login-User
Class = TESTUSER-GRP_POLICY

But use Privacyidea , Freeradius User configuration line this:
root@ubuntu:/etc/freeradius# cat users
DEFAULT Auth-Type := Perl

How do i definition of user ‘Class’ attributes

–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/919d3c30-41ab-4597-9b52-c7ae480bb091%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

cornelinux · October 27, 2015, 12:33pm

I am not sure if I understand you.

Does the file “users” like

#DEFAULT Auth-Type := Perl
xiaolei        Auth-Type := Perl
               ASA-Tunnel-Group-Lock := "sslclienttunnel"

result in a succesful authentication?

Then you can use the file “users” like this:

DEFAULT Auth-Type := Perl
	ASA-Tunnel-Group-Lock = sslclienttunnel

Kind regards
CorneliusAm Dienstag, den 27.10.2015, 04:23 -0700 schrieb lei xiao:

I add dictionary.cisco.asa for freeradius.
This file support Cisco ASA Extended Attributes for freeradius.
Configuration file /etc/freeradius/users like this:
root@radius:/etc/freeradius# cat users
#DEFAULT Auth-Type := Perl
xiaolei Auth-Type := Perl
ASA-Tunnel-Group-Lock := “sslclienttunnel”

I tested this idea is valid.

I’m thinking, ASA-Tunnel-Group-Lock := “REALM” Feasible?
I tried to modify the script,
/usr/share/privacyidea/freeradius/privacyidea_radius.pm
But i can not modify Perl script…

Can you help me?

Thank you!!

在 2015年10月10日星期六 UTC+8下午1:42:22，lei xiao写道：
    Cisco's VPN, have different policy-group. Different users belonging to different policy-group.
    If use simple authentication ways,i need configuration file /etc/freeradius/users  like this:
    CISCO :
    
    access-list TESTUSER_ACL standard permit 192.168.1.0 255.255.255.0
    access-list TESTUSER_ACL standard permit 192.168.2.0 255.255.255.0
    
    group-policy TESTUSER-GRP_POLICY internal
    group-policy TESTUSER-GRP_POLICY attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value TESTUSER_ACL
    
    FREERADIUS :  /etc/freeradius/users
    
    testuser  Password = "test-password"
              User-Server-Type = Login-User
              Class = TESTUSER-GRP_POLICY
    
    But use Privacyidea , Freeradius User configuration line this:
    root@ubuntu:/etc/freeradius# cat users 
    DEFAULT Auth-Type := Perl
    
    How do i definition of user 'Class' attributes
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/95a52c88-97ee-4212-98ba-9b7d833c296e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

lei_xiao · October 27, 2015, 11:23am

I add dictionary.cisco.asa for freeradius.
This file support Cisco ASA Extended Attributes for freeradius.
Configuration file /etc/freeradius/users like this:
root@radius:/etc/freeradius# cat users
#DEFAULT Auth-Type := Perl
xiaolei Auth-Type := Perl
ASA-Tunnel-Group-Lock := “sslclienttunnel”

I tested this idea is valid.
I’m thinking, ASA-Tunnel-Group-Lock := “REALM” Feasible?
I tried to modify the script,
/usr/share/privacyidea/freeradius/privacyidea_radius.pm
But i can not modify Perl script…

Can you help me?

Thank you!!

在 2015年10月10日星期六 UTC+8下午1:42:22，lei xiao写道：>

Cisco’s VPN, have different policy-group. Different users belonging to different policy-group.
If use simple authentication ways,i need configuration file /etc/freeradius/users like this:
CISCO :

access-list TESTUSER_ACL standard permit 192.168.1.0 255.255.255.0
access-list TESTUSER_ACL standard permit 192.168.2.0 255.255.255.0

group-policy TESTUSER-GRP_POLICY internal
group-policy TESTUSER-GRP_POLICY attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TESTUSER_ACL

FREERADIUS : /etc/freeradius/users

testuser Password = “test-password”
User-Server-Type = Login-User
Class = TESTUSER-GRP_POLICY

But use Privacyidea , Freeradius User configuration line this:
root@ubuntu:/etc/freeradius# cat users
DEFAULT Auth-Type := Perl

How do i definition of user ‘Class’ attributes