Put your users into groups and add extra entries: DEFAULT Group == numpties cisco-avpair := "shell:priv-lvl=1" DEFAULT Group == supernumpties cisco-avpair := "shell:priv-lvl=10" Notes: These lines use := to over-rule the cisco-avpair previously set. They do not fall through. I personally would make the default a low privilege, with high privilege coming from group membership. You'll need to read up on the available mechanisms for grouping users. Regards, Frank Ranner
-----Original Message----- From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.fre eradius.org [mailto:freeradius-users-bounces+frank.ranner=defence.gov.au@l ists.freeradius.org] On Behalf Of Norman Zhang Sent: Thursday, 26 April 2007 10:50 To: freeradius-users@lists.freeradius.org Subject: Re: User /etc/shadow for Authentication
tnt@kalik.co.yu wrote:
Login OK: [tester] (from client test-network port 1 cli 10.0.0.1) Sending Access-Accept of id 27 to 10.0.0.2:1645
You have "got in". But you haven't returned any radius attributes. You need to return something like Service-Type = Administrative-User or NAS-Prompt-User so NAS knows what to do with the user.
Thanks for the hint. I added the last two lines to users, now I can login.
DEFAULT Auth-Type = System Fall-Through = 1, cisco-avpair = "shell:priv-lvl=15", Service-Type = Administrative-User
Still trying to learn FreeRADIUS, should Fall-Through = True and not 1? How can I specify some users to have priv-lvl lower than 15, if default is 15?
Norman
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html