At 10:45 AM 11/25/2009, Alan DeKok wrote:
What part of the instructions is not working for you?
well for me at least, I have authentication working. radtest account password localhost 0 m3H1hc4Z1OtpNC2ZLX3A works fine. rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=164, length=20 However, when I try the same thing from the Cisco client, I get Authorization failed back from the cisco. Better, because I originally got back Authentication Failed, so I figure I'm one step farther. If I disable Authorization on the Cisco, or change it back over to my old tacacs+ server, I can log in successfully, so my problem is somewhere in the authorization process, which isn't really (to me) in that document. Yet the results from the log show freeradius sending back Sending Access-Accept of id 121 to 10.100.0.8 port 1812 rad_recv: Access-Request packet from host 10.100.0.8 port 1812, id=121, length=79 NAS-IP-Address = 10.100.0.8 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "username" Calling-Station-Id = "10.20.31.17" User-Password = "password" server server_cisco { +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "username", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=username [ntlm_auth] expand: --password=%{User-Password} -> --password=password Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok Login OK: [rsteeves] (from client Cisco port 1 cli 10.20.31.17) +- entering group post-auth {...} ++[exec] returns noop } # server server_cisco Sending Access-Accept of id 121 to 10.100.0.8 port 1812 Rick
At 10:45 AM 11/25/2009, Alan DeKok wrote:
What part of the instructions is not working for you?
well for me at least, I have authentication working. radtest account password localhost 0 m3H1hc4Z1OtpNC2ZLX3A works fine. rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=164, length=20
However, when I try the same thing from the Cisco client, I get Authorization failed back from the cisco. Better, because I originally got back Authentication Failed, so I figure I'm one step farther.
If I disable Authorization on the Cisco, or change it back over to my old tacacs+ server, I can log in successfully, so my problem is somewhere in the authorization process, which isn't really (to me) in that document.
It isn't. Because you couldn't possible include all the authoriztion scenarios for all possible NAS devices. Authorization is NAS and service specific and you should read NAS documentation in order to find out how should that work.
Yet the results from the log show freeradius sending back Sending Access-Accept of id 121 to 10.100.0.8 port 1812
Sending Access-Accept of id 121 to 10.100.0.8 port 1812
Which is empty. You most likely need to include at least Service-Type. That looked like telnet request so most likely NAS-Prompt-User. You have a cisco document on the wiki with some examples: http://wiki.freeradius.org/Cisco#Shell_Access Ivan Kalik
participants (2)
-
freeradius@corwyn.net -
tnt@kalik.net