Freeradius and Cisco (cisco-avpair = "shell:priv-lvl=15" doesn't work)
hello Mailing-List, i'm trying to do the authentication of cisco cat switches with the freeradius. The Authentication works fine, also the authentication of the enable lvl mode (e.g. $enab15$) and the accounting too (the configuration is from the freeradius-wiki cisco artical). But i'm still having a problem with cisco-avpair attribute. I don't know why shell:priv-lvl=15 doesn't work. I want, that the user will be directly logged in to the priv-lvl without doing the enable authentication. i'm using the Version 1.1.7 of Radius (Debian Package) and here ist my configuration (i have switched from sql database to files for debugging ): admin Cleartext-Password := "pass" Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15" and hier is the debugging output of freeradius (freeradius -X): rad_recv: Access-Request packet from host 192.168.178.2:1812, id=23, length=90 NAS-IP-Address = 192.168.178.2 NAS-Port = 2 Cisco-NAS-Port = "tty2" NAS-Port-Type = Virtual User-Name = "admin" Calling-Station-Id = "192.168.178.3" User-Password = "pass" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "admin", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry admin at line 64 modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'admin' rlm_sql (sql): sql_set_user escaped user --> 'admin' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'admin' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): User admin not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Att ribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'admin' AND usergroup.GroupName = radgroupcheck.GroupName O RDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Att ribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'admin' AND usergroup.GroupName = radgroupreply.GroupName O RDER BY radgroupreply.id' rlm_sql (sql): User admin not found in radgroupcheck rlm_sql (sql): Released sql socket id: 3 rlm_sql (sql): User not found modcall[authorize]: module "sql" returns notfound for request 0 modcall[authorize]: module "pap" returns updated for request 0 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "noresetcounter" returns noop for request 0 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "dailycounter" returns noop for request 0 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module "monthlycounter" returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type pap auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 0 rlm_pap: login attempt with password pass rlm_pap: Using clear text password "pass". rlm_pap: User authenticated successfully modcall[authenticate]: module "pap" returns ok for request 0 modcall: leaving group PAP (returns ok) for request 0 Sending Access-Accept of id 23 to 192.168.178.2 port 1812 Service-Type = NAS-Prompt-User Cisco-AVPair = "shell:priv-lvl=15" Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 23 with timestamp 48771d94 Nothing to do. Sleeping until we see a request. And here is the the debuging ouput of the switch: 03:27:12: AAA: parse name=tty3 idb type=-1 tty=-1 03:27:12: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0 03:27:12: AAA/MEMORY: create_user (0x80BAD274) user='' ruser='' port='tty3' rem_addr='192.168.178.3' authen_type=ASCII service=LOGIN priv=1 03:27:12: AAA/AUTHEN/START (2153705482): port='tty3' list='' action=LOGIN service=LOGIN 03:27:12: AAA/AUTHEN/START (2153705482): using "default" list 03:27:12: AAA/AUTHEN/START (2153705482): Method=radius (radius) 03:27:12: AAA/AUTHEN (2153705482): status = GETUSER 03:27:16: AAA/AUTHEN/CONT (2153705482): continue_login (user='(undef)') 03:27:16: AAA/AUTHEN (2153705482): status = GETUSER 03:27:16: AAA/AUTHEN (2153705482): Method=radius (radius) 03:27:16: AAA/AUTHEN (2153705482): status = GETPASS 03:27:17: AAA/AUTHEN/CONT (2153705482): continue_login (user='admin') 03:27:17: AAA/AUTHEN (2153705482): status = GETPASS 03:27:17: AAA/AUTHEN (2153705482): Method=radius (radius) 03:27:17: AAA/AUTHEN (2153705482): status = PASS i hope, you kann help me thnx Simo
Simo wrote:
i'm trying to do the authentication of cisco cat switches with the freeradius. The Authentication works fine, also the authentication of the enable lvl mode (e.g. $enab15$) and the accounting too (the configuration is from the freeradius-wiki cisco artical). But i'm still having a problem with cisco-avpair attribute. I don't know why shell:priv-lvl=15 doesn't work. I want, that the user will be directly logged in to the priv-lvl without doing the enable authentication.
Read the switch documentation to see what RADIUS attributes it expects to see in the response, in order to enable admin login access.
i'm using the Version 1.1.7 of Radius (Debian Package) and here ist my configuration (i have switched from sql database to files for debugging ):
admin Cleartext-Password := "pass" Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15"
That doesn't look right. You probably want "Service-Type = Login-User". Again, this is documented in the switch manual. Alan DeKok.
Something is not right here. Request is for:
Cisco-NAS-Port = "tty2"
and there is no Service-Type attribute in the request. And then Cisco aaa debug is for a different port which should have a Service-Type in the request:
03:27:12: AAA/AUTHEN/START (2153705482): port='tty3' list='' action=LOGIN service=LOGIN
Ivan Kalik Kalik Informatika ISP
On Fr, 2008-07-11 at 10:38 +0100, Ivan Kalik wrote:
Cisco-NAS-Port = "tty2"
Thnx for your reply. I have setting the NAS-Port to tty2 but i'm still having the same Problem. And here is the reply of switch (priv=1 was requested): 04:25:06: AAA: parse name=tty2 idb type=-1 tty=-1 04:25:06: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0 04:25:06: AAA/MEMORY: create_user (0x80D37CDC) user='' ruser='' port='tty2' rem_addr='192.168.178.3' authen_type=ASCII service=LOGIN priv=1 04:25:06: AAA/AUTHEN/START (4223102353): port='tty2' list='' action=LOGIN service=LOGIN 04:25:06: AAA/AUTHEN/START (4223102353): using "default" list 04:25:06: AAA/AUTHEN/START (4223102353): Method=radius (radius) 04:25:06: AAA/AUTHEN (4223102353): status = GETUSER 04:25:11: AAA/AUTHEN/CONT (4223102353): continue_login (user='(undef)') 04:25:11: AAA/AUTHEN (4223102353): status = GETUSER 04:25:11: AAA/AUTHEN (4223102353): Method=radius (radius) 04:25:11: AAA/AUTHEN (4223102353): status = GETPASS 04:25:12: AAA/AUTHEN/CONT (4223102353): continue_login (user='admin') 04:25:12: AAA/AUTHEN (4223102353): status = GETPASS 04:25:12: AAA/AUTHEN (4223102353): Method=radius (radius) 04:25:12: AAA/AUTHEN (4223102353): status = PASS thnx for help Simo
You need to have a look at switch radius documentation to see which Service -Type are you suposed to return. Administrative-User? Ivan Kalik Kalik Informatika ISP Dana 11/7/2008, "Simo" <admin@mix4web.de> piše:
On Fr, 2008-07-11 at 10:38 +0100, Ivan Kalik wrote:
Cisco-NAS-Port = "tty2"
Thnx for your reply. I have setting the NAS-Port to tty2 but i'm still having the same Problem. And here is the reply of switch (priv=1 was requested):
ďťż04:25:06: AAA: parse name=tty2 idb type=-1 tty=-1 04:25:06: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0 04:25:06: AAA/MEMORY: create_user (0x80D37CDC) user='' ruser='' port='tty2' rem_addr='192.168.178.3' authen_type=ASCII service=LOGIN priv=1 04:25:06: AAA/AUTHEN/START (4223102353): port='tty2' list='' action=LOGIN service=LOGIN 04:25:06: AAA/AUTHEN/START (4223102353): using "default" list 04:25:06: AAA/AUTHEN/START (4223102353): Method=radius (radius) 04:25:06: AAA/AUTHEN (4223102353): status = GETUSER 04:25:11: AAA/AUTHEN/CONT (4223102353): continue_login (user='(undef)') 04:25:11: AAA/AUTHEN (4223102353): status = GETUSER 04:25:11: AAA/AUTHEN (4223102353): Method=radius (radius) 04:25:11: AAA/AUTHEN (4223102353): status = GETPASS 04:25:12: AAA/AUTHEN/CONT (4223102353): continue_login (user='admin') 04:25:12: AAA/AUTHEN (4223102353): status = GETPASS 04:25:12: AAA/AUTHEN (4223102353): Method=radius (radius) 04:25:12: AAA/AUTHEN (4223102353): status = PASS
thnx for help Simo
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ivan Kalik wrote:
You need to have a look at switch radius documentation to see which Service -Type are you suposed to return. Administrative-User?
This is IOS, correct? You need to add 'aaa authorization exec default group radius none' to your config or else the switch will ignore your higher access level attributes. In my experience, you can set either the Service-Type or the cisco av-pair. There is no need to set both. -David Mitchell
Ivan Kalik Kalik Informatika ISP
Dana 11/7/2008, "Simo" <admin@mix4web.de> piše:
On Fr, 2008-07-11 at 10:38 +0100, Ivan Kalik wrote:
Cisco-NAS-Port = "tty2" Thnx for your reply. I have setting the NAS-Port to tty2 but i'm still having the same Problem. And here is the reply of switch (priv=1 was requested):
ďťż04:25:06: AAA: parse name=tty2 idb type=-1 tty=-1 04:25:06: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0 04:25:06: AAA/MEMORY: create_user (0x80D37CDC) user='' ruser='' port='tty2' rem_addr='192.168.178.3' authen_type=ASCII service=LOGIN priv=1 04:25:06: AAA/AUTHEN/START (4223102353): port='tty2' list='' action=LOGIN service=LOGIN 04:25:06: AAA/AUTHEN/START (4223102353): using "default" list 04:25:06: AAA/AUTHEN/START (4223102353): Method=radius (radius) 04:25:06: AAA/AUTHEN (4223102353): status = GETUSER 04:25:11: AAA/AUTHEN/CONT (4223102353): continue_login (user='(undef)') 04:25:11: AAA/AUTHEN (4223102353): status = GETUSER 04:25:11: AAA/AUTHEN (4223102353): Method=radius (radius) 04:25:11: AAA/AUTHEN (4223102353): status = GETPASS 04:25:12: AAA/AUTHEN/CONT (4223102353): continue_login (user='admin') 04:25:12: AAA/AUTHEN (4223102353): status = GETPASS 04:25:12: AAA/AUTHEN (4223102353): Method=radius (radius) 04:25:12: AAA/AUTHEN (4223102353): status = PASS
thnx for help Simo
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | -----------------------------------------------------------------
participants (4)
-
Alan DeKok -
David Mitchell -
Ivan Kalik -
Simo