Privileged Login on CISCO using freeradius and MySQL [Virus checked]
Hi, I hope someone can help me with that - I dont seem to be able to, after hours of Googling and trying ... :-( I want to allow an admin to login to a Cisco-box, authenticated via radius and get immediately to privileged level ( so he doesnt have to do a "enable" when he logged in to the box) I have put the following into the 'radgroupreply' table of the MySQL-Database mysql> select * from radgroupreply; +----+-----------+--------------+----+-------------------+ | id | GroupName | Attribute | op | Value | +----+-----------+--------------+----+-------------------+ | 1 | lanmgmt | cisco-avpair | = | shell:priv-lvl=15 | +----+-----------+--------------+----+-------------------+ (For the operator I have already tried ':=') My 'radreply'-table is currently empty The other tables look like this: mysql> select * from radcheck; +----+----------+-----------+----+-------+ | id | UserName | Attribute | op | Value | +----+----------+-----------+----+-------+ | 1 | pudilt | Password | == | 1234 | +----+----------+-----------+----+-------+ 1 row in set (0.00 sec) mysql> select * from radgroupcheck; +----+-----------+-----------+----+-------+ | id | GroupName | Attribute | op | Value | +----+-----------+-----------+----+-------+ | 1 | lanmgmt | Auth-Type | == | Local | +----+-----------+-----------+----+-------+ 1 row in set (0.00 sec) mysql> select * from usergroup; +----------+-----------+----------+ | UserName | GroupName | priority | +----------+-----------+----------+ | pudilt | lanmgmt | 1 | +----------+-----------+----------+ 1 row in set (0.00 sec) Is the 'cisco-avpair' parameter misplaced, or should I look for the error on the CISCO-config (using IOS 12.1)? thanks alot thomas
On Wednesday 10 May 2006 13:16, thomas.pudil@t-mobile.at wrote:
Is the 'cisco-avpair' parameter misplaced, or should I look for the error on the CISCO-config (using IOS 12.1)?
thanks alot thomas
The priv lvl I use in my users file is: Cisco-AVPair := "shell:priv-lvl=1" Debug output would help determine what isn't working. Kevin Bonner
Hi again,
The priv lvl I use in my users file is:
Cisco-AVPair := "shell:priv-lvl=1"
Debug output would help determine what isn't working.
Kevin Bonner
here is a debug from my radius-server: rad_recv: Access-Request packet from host 10.0.2.241:1645, id=9, length=76 NAS-IP-Address = 213.162.69.58 NAS-Port = 2 NAS-Port-Type = Virtual User-Name = "pudilt" Calling-Station-Id = "10.0.2.242" User-Password = "1234" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' Invalid operator for item Suffix: reverting to '==' modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 rlm_realm: No '@' in User-Name = "pudilt", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 radius_xlat: 'pudilt' rlm_sql (sql): sql_set_user escaped user --> 'pudilt' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'pudilt' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'pudilt' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'pudilt' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'pudilt' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module "sql" returns ok for request 2 modcall[authorize]: module "mschap" returns noop for request 2 modcall: leaving group authorize (returns ok) for request 2 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [pudilt] (from client xdsl-ag-RouA port 2 cli 10.0.2.242) Sending Access-Accept of id 9 to 10.0.2.241 port 1645 Service-Type = NAS-Prompt-User Cisco-AVPair = "shell:priv-lvl=15" Login-Service = Telnet Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 9 with timestamp 44630dd5 Nothing to do. Sleeping until we see a request. And this is what I see on the Cisco: 02:52:14: AAA: parse name=tty2 idb type=-1 tty=-1 02:52:14: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0 02:52:14: AAA/MEMORY: create_user (0x62135CF4) user='' ruser='' port='tty2' rem_addr='10.0.2.242' authen_type=ASCII service=LOGIN priv=1 02:52:14: AAA/AUTHEN/START (728290868): port='tty2' list='adminauthenticate' action=LOGIN service=LOGIN 02:52:14: AAA/AUTHEN/START (728290868): found list adminauthenticate 02:52:14: AAA/AUTHEN/START (728290868): Method=radius (radius) 02:52:14: AAA/AUTHEN (728290868): status = GETUSER 02:52:17: AAA/AUTHEN/CONT (728290868): continue_login (user='(undef)') 02:52:17: AAA/AUTHEN (728290868): status = GETUSER 02:52:17: AAA/AUTHEN (728290868): Method=radius (radius) 02:52:17: AAA/AUTHEN (728290868): status = GETPASS 02:52:18: AAA/AUTHEN/CONT (728290868): continue_login (user='pudilt') 02:52:18: AAA/AUTHEN (728290868): status = GETPASS 02:52:18: AAA/AUTHEN (728290868): Method=radius (radius) 02:52:18: RADIUS: ustruct sharecount=1 02:52:18: RADIUS: Initial Transmit tty2 id 9 172.31.95.162:1812, Access-Request, len 76 02:52:18: Attribute 4 6 D5A2453A 02:52:18: Attribute 5 6 00000002 02:52:18: Attribute 61 6 00000005 02:52:18: Attribute 1 8 70756469 02:52:18: Attribute 31 12 31302E30 02:52:18: Attribute 2 18 C8B57C52 02:52:18: RADIUS: Received from id 9 172.31.95.162:1812, Access-Accept, len 57 02:52:18: Attribute 6 6 00000007 02:52:18: Attribute 26 25 0000000901137368 02:52:18: Attribute 15 6 00000000 02:52:18: RADIUS: saved authorization data for user 62135CF4 at 6207B1DC 02:52:18: AAA/AUTHEN (728290868): status = PASS So the Cisco DOES receive the attributes in the reply packet, but obviously ignores them?? So now I dont know - is the problem on the NAS side, or is there a config failure on the radius-side (I do not blame freeradius - I know if its the radius, its a config mistake!) thank you thomas
Hi,
So the Cisco DOES receive the attributes in the reply packet, but obviously ignores them??
what does your CISCO IOS config look like for radius ? It appears that you may only have the authentication line and not the authorization line...eg aaa new-model aaa authentication login default radius local aaa authorization exec default radius local alan
Hi Alan,
So the Cisco DOES receive the attributes in the reply packet, but obviously ignores them??
what does your CISCO IOS config look like for radius ? It appears that you may only have the authentication line and not the authorization line...eg
aaa new-model aaa authentication login default radius local aaa authorization exec default radius local
Shame on me!! Seems I dont really understand how Cisco handles all this Authorization/Authentication :-(( Adding the "authorization"-line as you suggested did the job! (I assumed this would not be necessary since the Reply attribute would automatically put the user in privileged mode...) Thanks a lot for your help! thomas
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Kevin Bonner -
thomas.pudil@t-mobile.at