How to authenticate 3com switch and cisco switch at the same time.
hello, I am a newbie of freeradius. these days, we are planning to implement radius server for aaa. Our NAS devices are 3com SuperStack 4400/4900 and cisco 2950/3725/1721. we encounter a problem. I have been installed freeradius on debian successfully. We have four guys to administrative our network device they are aaa,bbb,ccc,ddd. first of all, aaa and bbb are admin, ccc and ddd are helpdesk. admin should be granted the read/write privilege of the net device helpdesk should only be granted the read privilege. I divided them into four group within linux system. 3com_admin, 3com_monitor, cisco_admin, cisco_monitor aaa and bbb belongs to 3com_admin and cisco_admin ccc and ddd belongs to 3com_monitor and cisco_monitor the /etc/freeradius/users config: DEFAULT Group == "3com_admin", Auth-Type := System Login-Service = Telnet, 3Com-User-Access-Level = 3, DEFAULT Group == "3com_monitor", Auth-Type := System Login-Service = Telnet, 3Com-User-Access-Level = 1, this config work fine for me. and now, I added another two groups, so the /etc/freeradius/users look like this: DEFAULT Group == "cisco_admin", Auth-Type := System Login-Service = Telnet, Service-Type = Administrative-User, Cisco-AVPair = "shell:priv-lvl=15" DEFAULT Group == "cisco_monitor", Auth-Type :=System Login-Service = Telnet, Service-Type = Administrative-User, Cisco-AVPair = "shell:priv-lvl=5" DEFAULT Group == "3com_admin", Auth-Type := System Login-Service = Telnet, 3Com-User-Access-Level = 3 DEFAULT Group == "3com_monitor", Auth-Type := System Login-Service = Telnet, 3Com-User-Access-Level = 1 The problem occured. When I login cisco switch with "aaa", it works, but when I use "aaa" to login 3com's switch, it failed. because of the reply message were come from the first DEFAULT segment attributes. that is: Sending Access-Accept of id 22 to 192.168.100.20:2049 Login-Service = Telnet Service-Type = NAS-Prompt-User Cisco-AVPair = "shell:priv-lvl=15" so, 3com switch can not parse the cisco-avpair, then failed. the following is freeradius -X ..... radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.100.20:2049, id=22, length=87 User-Name = "aaa" User-Password = "aaa" NAS-Port-Type = Virtual NAS-IP-Address = 192.168.100.20 Service-Type = Administrative-User Framed-MTU = 1024 Message-Authenticator = 0xe52d4010d86eb2cb0f00fefaa251006c rad_rmspace_pair: User-Password now 'aaa' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "aaa", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 75 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns ok for request 0 modcall: group authenticate returns ok for request 0 Sending Access-Accept of id 22 to 192.168.100.20:2049 Login-Service = Telnet Service-Type = NAS-Prompt-User Cisco-AVPair = "shell:priv-lvl=15" Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 7 seconds... ..... any suggestion will be welcome. thanks in advance.
participants (1)
-
陈锐