The two things I have changed to get it working are:
in users:
DEFAULT Auth-Type := LDAP
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=15",
Fall-Through = 1
and added on the switch:
aaa authorization exec default group radius local
aaa authorization network default group radius local
Next - ldapgroupfilter.
I have a group of users called "radiususers" - and the following in
radiusd.conf:
groupname_attribute = cn
groupmembership_filter =
(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
and in users:
DEFAULT LDAP-Group == radiususers
Service-Type = Administrative-User
But any ldap user can sill login regardless of group membership.
Where am I screwing up?
Thanks,
-Jeff
Ivan Kalik wrote:
19:23:13: RADIUS: no appropriate authorization type for user.
I am all but certain this is a self-inflicted wound.
It is. Have a look at your aaa configuration. Do you see an authorization
line anywhere?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Jefferson K Davis
Technology & Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA 93308
USA
661.392.2110 ext 120
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html