Hi, I'm hoping you can help! I have a server running FreeRADIUS and I'm trying to authorize exec sessions. If I remove the authorize line in the cisco config the authentication works fine, but once it starts to authorise it fails. There are 4 sections here: relevant parts of the cisco switch The users file, the freeRADIUS log and the cisco switch log. The bit that seems to fail is where the cisco switch recieves the radius reply, it just doesn't act on the reply.... aaa new-model aaa authentication login default group radius local aaa authorization exec default group radius radius-server host 192.168.100.201 auth-port 1812 acct-port 1813 key 7 xxxxxxx radius-server source-ports 1645-1646 Users-file DEFAULT Service-Type = shell Cisco-AVPair = "shell:priv-lvl=15" ----------------------- rad_recv: Access-Request packet from host 192.168.100.254:1645, id=26, length=82 NAS-IP-Address = 192.168.100.254 NAS-Port = 2 NAS-Port-Type = Virtual User-Name = "dave" Calling-Station-Id = "192.168.100.109" User-Password = "password" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "dave", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched DEFAULT at 153 users: Matched DEFAULT at 228 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns ok for request 0 modcall: group authenticate returns ok for request 0 Login OK: [djbrad2/password] (from client rafmh port 2 cli 192.168.100.109) Sending Access-Accept of id 26 to 192.168.100.254:1645 Cisco-AVPair = "shell:priv-lvl=15" Finished request 0 -------- *Mar 1 02:05:01.335: RADIUS(00000000): Send Access-Request to 192.168.100.201:1812 id 1645/26, len 82 *Mar 1 02:05:01.335: RADIUS: authenticator 90 85 F6 37 C3 2C A4 BE - 97 44 D1 81 A4 DD 0F 2D *Mar 1 02:05:01.335: RADIUS: NAS-IP-Address [4] 6 192.168.100.254 *Mar 1 02:05:01.335: RADIUS: NAS-Port [5] 6 2 *Mar 1 02:05:01.335: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Mar 1 02:05:01.335: RADIUS: User-Name [1] 9 "dave" *Mar 1 02:05:01.335: RADIUS: Calling-Station-Id [31] 17 "192.168.100.109" *Mar 1 02:05:01.335: RADIUS: User-Password [2] 18 * *Mar 1 02:05:01.339: RADIUS: Received from id 1645/26 192.168.100.201:1812, Access-Accept, len 45 *Mar 1 02:05:01.339: RADIUS: authenticator A7 47 9F 4C 58 BC CA A5 - E5 6B E4 9E 64 9F FB C9 *Mar 1 02:05:01.339: RADIUS: Vendor, Cisco [26] 25 *Mar 1 02:05:01.339: RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15" *Mar 1 02:05:01.343: RADIUS: saved authorization data for user 1DF88C8 at 2238960 *Mar 1 02:05:01.343: tty2 AAA/AUTHOR/EXEC (606283324): Port='tty2' list='' service=EXEC *Mar 1 02:05:01.343: AAA/AUTHOR/EXEC: tty2 (606283324) user='djbrad2' *Mar 1 02:05:01.343: tty2 AAA/AUTHOR/EXEC (606283324): send AV service=shell *Mar 1 02:05:01.343: tty2 AAA/AUTHOR/EXEC (606283324): send AV cmd* *Mar 1 02:05:01.343: tty2 AAA/AUTHOR/EXEC (606283324): found list "default" *Mar 1 02:05:01.343: tty2 AAA/AUTHOR/EXEC (606283324): Method=radius (radius) *Mar 1 02:05:01.343: RADIUS: cisco AVPair "shell:priv-lvl=15" *Mar 1 02:05:01.343: RADIUS: no appropriate authorization type for user. *Mar 1 02:05:01.343: AAA/AUTHOR (606283324): Post authorization status = FAIL *Mar 1 02:05:01.343: AAA/AUTHOR/EXEC: Authorization FAILED