Privacyidea and cisco vpn

Cisco’s VPN, have different policy-group. Different users belonging to different policy-group.
If use simple authentication ways,i need configuration file /etc/freeradius/users like this:
CISCO :

access-list TESTUSER_ACL standard permit 192.168.1.0 255.255.255.0
access-list TESTUSER_ACL standard permit 192.168.2.0 255.255.255.0

group-policy TESTUSER-GRP_POLICY internal
group-policy TESTUSER-GRP_POLICY attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TESTUSER_ACL

FREERADIUS : /etc/freeradius/users

testuser Password = "test-password"
User-Server-Type = Login-User
Class = TESTUSER-GRP_POLICY

But use Privacyidea , Freeradius User configuration line this:
root@ubuntu:/etc/freeradius# cat users
DEFAULT Auth-Type := Perl

How do i definition of user ‘Class’ attributes

Hi Lei,

you can simple extend your existing users file.

If it looks like this at the moment:

testuser Password = “test-password”
User-Server-Type = Login-User
Class = TESTUSER-GRP_POLICY

You can change it to

testuser Auth-Type = Perl
User-Server-Type = Login-User
Class = TESTUSER-GRP_POLICY

In my setup I had to remove the User-Server-Type and had a users entry
like

corny Auth-Type = Perl
Class = TESTUSER-GRP_POLICY

And was able to authenticate like this:

root@puckel:~/TEST# echo “User-Name=corny, Password=rightPassword” |
radclient -s 127.0.0.1 auth test
Received response ID 246, code 2, length = 69
Reply-Message = “privacyIDEA access granted”
Class = 0x54455354555345522d4752505f504f4c494359

   Total approved auths:  1
     Total denied auths:  0
       Total lost auths:  0

This way you get all the VPs in your response.

Kind regards
CorneliusAm Freitag, den 09.10.2015, 22:42 -0700 schrieb lei xiao:

Cisco’s VPN, have different policy-group. Different users belonging to different policy-group.
If use simple authentication ways,i need configuration file /etc/freeradius/users like this:
CISCO :

access-list TESTUSER_ACL standard permit 192.168.1.0 255.255.255.0
access-list TESTUSER_ACL standard permit 192.168.2.0 255.255.255.0

group-policy TESTUSER-GRP_POLICY internal
group-policy TESTUSER-GRP_POLICY attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TESTUSER_ACL

FREERADIUS : /etc/freeradius/users

testuser Password = “test-password”
User-Server-Type = Login-User
Class = TESTUSER-GRP_POLICY

But use Privacyidea , Freeradius User configuration line this:
root@ubuntu:/etc/freeradius# cat users
DEFAULT Auth-Type := Perl

How do i definition of user ‘Class’ attributes


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/919d3c30-41ab-4597-9b52-c7ae480bb091%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

I am not sure if I understand you.

Does the file “users” like

#DEFAULT Auth-Type := Perl
xiaolei        Auth-Type := Perl
               ASA-Tunnel-Group-Lock := "sslclienttunnel"

result in a succesful authentication?

Then you can use the file “users” like this:

DEFAULT Auth-Type := Perl
	ASA-Tunnel-Group-Lock = sslclienttunnel

Kind regards
CorneliusAm Dienstag, den 27.10.2015, 04:23 -0700 schrieb lei xiao:

I add dictionary.cisco.asa for freeradius.
This file support Cisco ASA Extended Attributes for freeradius.
Configuration file /etc/freeradius/users like this:
root@radius:/etc/freeradius# cat users
#DEFAULT Auth-Type := Perl
xiaolei Auth-Type := Perl
ASA-Tunnel-Group-Lock := “sslclienttunnel”

I tested this idea is valid.

I’m thinking, ASA-Tunnel-Group-Lock := “REALM” Feasible?
I tried to modify the script,
/usr/share/privacyidea/freeradius/privacyidea_radius.pm
But i can not modify Perl script…

Can you help me?

Thank you!!

在 2015年10月10日星期六 UTC+8下午1:42:22,lei xiao写道:

    Cisco's VPN, have different policy-group. Different users belonging to different policy-group.
    If use simple authentication ways,i need configuration file /etc/freeradius/users  like this:
    CISCO :
    
    access-list TESTUSER_ACL standard permit 192.168.1.0 255.255.255.0
    access-list TESTUSER_ACL standard permit 192.168.2.0 255.255.255.0
    
    group-policy TESTUSER-GRP_POLICY internal
    group-policy TESTUSER-GRP_POLICY attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value TESTUSER_ACL
    
    FREERADIUS :  /etc/freeradius/users
    
    testuser  Password = "test-password"
              User-Server-Type = Login-User
              Class = TESTUSER-GRP_POLICY
    
    But use Privacyidea , Freeradius User configuration line this:
    root@ubuntu:/etc/freeradius# cat users 
    DEFAULT Auth-Type := Perl
    
    How do i definition of user 'Class' attributes


You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/95a52c88-97ee-4212-98ba-9b7d833c296e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

I add dictionary.cisco.asa for freeradius.
This file support Cisco ASA Extended Attributes for freeradius.
Configuration file /etc/freeradius/users like this:
root@radius:/etc/freeradius# cat users
#DEFAULT Auth-Type := Perl
xiaolei Auth-Type := Perl
ASA-Tunnel-Group-Lock := “sslclienttunnel”

I tested this idea is valid.
I’m thinking, ASA-Tunnel-Group-Lock := “REALM” Feasible?
I tried to modify the script,
/usr/share/privacyidea/freeradius/privacyidea_radius.pm
But i can not modify Perl script…

Can you help me?

Thank you!!

在 2015年10月10日星期六 UTC+8下午1:42:22,lei xiao写道:>

Cisco’s VPN, have different policy-group. Different users belonging to different policy-group.
If use simple authentication ways,i need configuration file /etc/freeradius/users like this:
CISCO :

access-list TESTUSER_ACL standard permit 192.168.1.0 255.255.255.0
access-list TESTUSER_ACL standard permit 192.168.2.0 255.255.255.0

group-policy TESTUSER-GRP_POLICY internal
group-policy TESTUSER-GRP_POLICY attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TESTUSER_ACL

FREERADIUS : /etc/freeradius/users

testuser Password = "test-password"
User-Server-Type = Login-User
Class = TESTUSER-GRP_POLICY

But use Privacyidea , Freeradius User configuration line this:
root@ubuntu:/etc/freeradius# cat users
DEFAULT Auth-Type := Perl

How do i definition of user ‘Class’ attributes