Configuration issue at radiusd.conf?

Honglak Kim honglak_kim at yahoo.com
Wed May 26 20:56:43 CEST 2021 

 Actually it turned out the issue was related to the Control plane ACL at Arista switches. 
Once the ACL allowed the radius access, the login started working.So simple thing but I missed for a while. 

Thanks!!
    On Friday, May 14, 2021, 4:23:25 PM PDT, Honglak Kim via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:  
 
  Per my tcpdump outputs at the both switches, I saw the exact same responses from the radius to the switches.They said "Access-Accepted" and the AVP in the radius protocol were exactly the same.
I am trying to create a case at Arista to get more info.
Thanks,Paul

    On Friday, May 14, 2021, 2:05:02 PM PDT, Honglak Kim via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:  
 
  Hello Maki/Matthew,
 I am trying to access Arista switches with the local database at the radius server.The outcome is simply I couldn't login the target Arista switch.
However I tested another Arista switch and it worked well.The two Arista switches have different image, 4.20.15M is not working while  4.19.6.3M is working well. ( I used the same username/password at "users" file and clients.conf has the correct network to cover the both switches )
I will check the switch side logs to see why the outcomes were different. 

Thanks a  lot,
Paul



    On Friday, May 14, 2021, 11:12:46 AM PDT, marki <jm+freeradiususer at roth.lu> wrote:  
 
 Radius sends access-accept so it's ok.

Unless.... you care to explain what exactly you are doing, what the expected and actual outcomes are, what the error you are receiving is etc.

My crystal ball is low on battery.

On May 14, 2021 6:17:03 PM GMT+02:00, Honglak Kim via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
Hello all,
I am very new to FreeRadius and I am not sure why I can't access the network device.It seems something to do with radiusd.conf but I can't identify it.. Please help.
This is the debugging message when I ran the test.

(0) Received Access-Request Id 116 from 10.0.254.3:43509 to 10.192.2.141:1812 length 92
(0)   User-Name = "hong"
(0)   User-Password = "test123!"
(0)   NAS-Port-Id = "ssh"
(0)   Calling-Station-Id = "ops001.mydomain.com"
(0)   Service-Type = NAS-Prompt-User
(0)   NAS-Port = 0
(0)   NAS-IP-Address = 10.0.254.3
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "hong", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry hong at line 94
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: Normalizing SHA-Password from hex encoding, 40 bytes -> 20 bytes
(0)     [pap] = updated
(0)   } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known-good" SHA-Password
(0) pap: User authenticated successfully
(0)     [pap] = ok
(0)   } # Auth-Type PAP = ok
(0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(0)   post-auth {
(0)     update reply {
(0)       Juniper-Local-User-Name = "admin"
(0)       Arista-AVPair = "shell:priv-lvl=15"
(0)       Arista-AVPair = "shell:roles=network-admin"
(0)       PaloAlto-Admin-Role = "superuser"
(0)       PaloAlto-Panorama-Admin-Role = "superuser"
(0)       PaloAlto-User-Group = "all"
(0)     } # update reply = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Sent Access-Accept Id 116 from 10.192.2.141:1812 to 10.0.254.3:43509 length 0
(0)   Juniper-Local-User-Name = "admin"
(0)   Arista-AVPair = "shell:priv-lvl=15"
(0)   Arista-AVPair = "shell:roles=network-admin"
(0)   PaloAlto-Admin-Role = "superuser"
(0)   PaloAlto-Panorama-Admin-Role = "superuser"
(0)   PaloAlto-User-Group = "all"
(0) Finished request
Waking up in 4.9 seconds.
Waking up in 6.9 seconds.
(0) Cleaning up request packet ID 116 with timestamp +9
Thanks,Paul


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list