Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 12:09 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Sun Nov 03, 2013 10:24 am 
Offline

Joined: Sun Nov 03, 2013 10:21 am
Posts: 5
Hi All,
I've been trying to configure the YubiRaius 3.6.1 to return Vendor Specific Attributes ( VSA ) with no success.
Has anyone succesfully configure Yubiradius to return VSA at all ?
if yes can you share which config file that I need to configure ?

Thanks,
Alberto


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Nov 04, 2013 2:21 am 
Offline

Joined: Sun Nov 03, 2013 10:21 am
Posts: 5
I've got this working by adding the attributes in the /etc/freeradius/users file and adding the dictionary under /usr/share/freeradius/
DEFAULT Auth-Type = pap
PaloAlto-Admin-Role = "superuser",
PaloAlto-User-Group = "VPNgroup",
Service-Type = Login-User

---------------------
Dictionary file

VENDOR PaloAlto 25461
BEGIN-VENDOR PaloAlto
ATTRIBUTE PaloAlto-Admin-Role 1 string
ATTRIBUTE PaloAlto-Admin-Access-Domain 2 string
ATTRIBUTE PaloAlto-Panorama-Admin-Role 3 string
ATTRIBUTE PaloAlto-Panorama-Admin-Access-Domain 4 string
ATTRIBUTE PaloAlto-User-Group 5 string
END-VENDOR PaloAlto


Top
 Profile  
Reply with quote  
PostPosted: Tue Nov 05, 2013 5:48 pm 
Offline

Joined: Fri Oct 25, 2013 11:28 pm
Posts: 8
You'll have to add a vendor dictionary to freeradius's dictionary files /usr/share/freeradius/ (if I recall correctly) and make sure the vendor dictionary is configured to load in the /usr/share/freeradius/dictionary file using $INCLUDE dictionary.vendorxyz and restart freeradius.

I used the ldap mapping /etc/freeradius/ldap.attr to map my vendor attributes to the ldap attribute which I chose. It helps to run freeradius in debug mode to troubleshoot. You run debug mode using the following freeradius -X. The catch is this is debian and there is a bug so you actually have to run this command instead LD_PRELOAD=/usr/lib/libperl.so.5.10 freeradius -X.

Here some info about the bug http://www.packetfence.org/bugs/view.ph ... &history=1


Hopefully that helps you. I spent quite a bit of time figuring it out and still have lots to learn.


Top
 Profile  
Reply with quote  
PostPosted: Fri Nov 08, 2013 12:23 pm 
Offline

Joined: Sun Nov 03, 2013 10:21 am
Posts: 5
Hi , thanks for the reply,
do you have any example for the ldap.attrmap config ?
Do I also need to enable the ldap setting in sites-enabled/default ?

Thanks


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group