Hi,

Am not able to see my authorization happening because I don't see the value-attr or reply message. Please help. Logs attached.

rad_recv: Access-Request packet from host 192.168.0.2 port 39662, id=92, length=62

        User-Name = "radiustest"

        User-Password = "password@123"

        NAS-IP-Address = 192.168.0.2

        NAS-Port = 1812

# Executing section authorize from file /etc/raddb/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.0.2/auth-detail-20130128

[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.2/auth-detail-20130128

[auth_log]      expand: %t -> Mon Jan 28 10:12:16 2013

++[auth_log] returns ok

[ldap] performing user authorization for radiustest

[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details

[ldap]  ... expanding second conditional

[ldap]  expand: %{User-Name} -> radiustest

[ldap]  expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=radiustest))

[ldap]  expand: cn=users,dc=example,dc=com -> cn=users,dc=example,dc=com

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] performing search in cn=users,dc=example,dc=com, with filter (&(sAMAccountName=radiustest))

[ldap] looking for check items in directory...

[ldap] looking for reply items in directory...

WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?

[ldap] Setting Auth-Type = ldap

[ldap] user radiustest authorized to use remote access

  [ldap] ldap_release_conn: Release Id: 0

++[ldap] returns ok

++[digest] returns noop

[suffix] No '@' in User-Name = "radiustest", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[ldap] performing user authorization for radiustest

[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details

[ldap]  ... expanding second conditional

[ldap]  expand: %{User-Name} -> radiustest

[ldap]  expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=radiustest))

[ldap]  expand: cn=users,dc=example,dc=com -> cn=users,dc=example,dc=com

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] performing search in cn=users,dc=example,dc=com, with filter (&(sAMAccountName=radiustest))

[ldap] looking for check items in directory...

[ldap] looking for reply items in directory...

WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?

[ldap] user radiustest authorized to use remote access

  [ldap] ldap_release_conn: Release Id: 0

++[ldap] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.

++[pap] returns noop

Found Auth-Type = ldap

# Executing group from file /etc/raddb/sites-enabled/default

+- entering group LDAP {...}

[ldap] login attempt by "radiustest" with password "password@123"

[ldap] user DN: CN=radiustest,CN=Users,DC=example,DC=com

  [ldap] (re)connect to 192.168.0.3:389, authentication 1

  [ldap] bind as CN=radiustest,CN=Users,DC=example,DC=com/password@123 to 192.168.0.3:389

  [ldap] waiting for bind result ...

  [ldap] Bind was successful

[ldap] user radiustest authenticated succesfully

++[ldap] returns ok

# Executing section post-auth from file /etc/raddb/sites-enabled/default

+- entering group post-auth {...}

++[exec] returns noop

Sending Access-Accept of id 92 to 192.168.0.2 port 39662

Finished request 2.

Going to the next request

Waking up in 4.9 seconds.

Cleaning up request 2 ID 92 with timestamp +88

Ready to process requests.


Regards,
/Neo
Sent from my iPhone

On 25-Jan-2013, at 3:32 AM, A.L.M.Buxey@lboro.ac.uk wrote:

Hi,

  Do you mean the below in the "users" file?

  cisco Auth-Type := LDAP

  Service-Type = Administrative-User,
  cisco-avpair = "shell:priv-lvl=15"

no.

cisco Auth-Type := LDAP
   Service-Type = Administrative-User,
   cisco-avpair = "shell:priv-lvl=15"


(see all the examples in the users file)

alan