FW: Free Radius & Cisco

Johnston, Ian I.Johnston at avnetworks.com
Thu Dec 3 01:03:54 CET 2009


Hi,

Thanks for Free Radius - I'm confident it will be just what we need.

I have set it up on a Dell DL360 G5 running CentOS 2.3 and created
simple clients.conf, raddb.conf and users files. Radtest and logins from
a couple of clients are working well. However, when I try to move up
from the absolute basics, e.g. to give my user who telnets to a Cisco
switch an enabled priveledge leval it just doesn't work: the user logons
OK but is still at the plain command prompt. I'm sure it's something
simple I've missed and I'd be grateful if you could give me any
pointers.

I've looked through the mailing-list archive, and although one question
is exactly the same Freeradius and Cisco (cisco-avpair =
"shell:priv-lvl=15" doesn't work) I seem to have everything they have
suggested in the answers?

Thanks in advance for your help.

 

Regards, 

Ian

 

Here are some cuts from various files:

Switch Config

aaa authentication login nocusers group radius

aaa authorization exec nocusers group radius

aaa session-id common

radius-server host 10.210.27.4 auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

line vty 0 4

   exec-timeout 60 0

   login authentication nocusers

 

 

 

 

users

dan     Cleartext-Password := "password"

        Reply-Message = "Hello, %{User-Name}",

        Service-Type = Administrative-user,

        cisco-avpair = "shell:priv-lvl=15"

 

ipj     Cleartext-Password := "password"

        Reply-Message = "Hello, %{User-Name}",

        Service-Type = NAS-Prompt-User,

        cisco-avpair = "shell:priv-lvl=15"

 

I also tried:

dan     Cleartext-Password := "password", Service-Type =
Administrative-user, cisco-avpair = "shell:priv-lvl=15"

        Reply-Message = "Hello, %{User-Name}",

        Service-Type = Administrative-user,

        

and 

dan     Cleartext-Password := "password"

        Reply-Message = "Hello, %{User-Name}",

        Service-Type = "Administrative-user",                  # and
Shell-user, and login and a few other things !-(

        cisco-avpair = "shell:priv-lvl=15"

 

the login failed with the first alternate and logged on as a plain user
on the second.

 

 

 

 

 

 

Snips from radiusd -X output 

Sending Access-Accept of id 42 to 10.210.27.2 port 1645

        Reply-Message = "Hello, ipj"

        Service-Type = NAS-Prompt-User

        Cisco-AVPair = "shell:priv-lvl=15"

 

Sending Access-Accept of id 43 to 10.210.27.2 port 1645

        Reply-Message = "Hello, dan"

        Service-Type = Administrative-User

        Cisco-AVPair = "shell:priv-lvl=15"

 

 

 

 

 

Output from radtest

[root at radius1 raddb]# radtest dan password radius1:1645 0 testing123

Sending Access-Request of id 33 to 10.210.27.4 port 1645

        User-Name = "dan"

        User-Password = "password"

        NAS-IP-Address = 10.210.27.4

        NAS-Port = 0

rad_recv: Access-Request packet from host 10.210.27.4 port 32770, id=33,
length=55

        User-Name = "dan"

        User-Password = "password"

        NAS-IP-Address = 10.210.27.4

        NAS-Port = 0

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] No '@' in User-Name = "dan", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

++[unix] returns notfound

[files] users: Matched entry dan at line 11

[files]         expand: Hello, %{User-Name} -> Hello, dan

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

++[pap] returns updated

Found Auth-Type = PAP

+- entering group PAP {...}

[pap] login attempt with password "password"

[pap] Using clear text password "password"

[pap] User authenticated successfully

++[pap] returns ok

Login OK: [dan] (from client radius1 port 0)

+- entering group post-auth {...}

++[exec] returns noop

Sending Access-Accept of id 33 to 10.210.27.4 port 32770

        Service-Type = Administrative-User

        Cisco-AVPair = "shell:priv-lvl=15"

        Reply-Message = "Hello, dan"

Finished request 2.

Going to the next request

rad_recv: Access-Accept packet from host 10.210.27.4 port 1645, id=33,
length=63

Waking up in 4.9 seconds.

        Service-Type = Administrative-User

        Cisco-AVPair = "shell:priv-lvl=15"

        Reply-Message = "Hello, dan"

[root at radius1 raddb]# Cleaning up request 2 ID 33 with timestamp +62

Ready to process requests.

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091202/0763beb0/attachment.html>


More information about the Freeradius-Users mailing list