Hello all, I'm having a problem getting users to default to the right privilege level. aaa authentication login default group radius local aaa authorization exec default group radius local radius-server host xx.20.xx.xx auth-port 1645 acct-port 1646 radius-server key 7 xxxxxxxxxxxx privilege exec level 2 enable DEFAULT Group == "radiusfull", Auth-Type = System CiscoAVPair = "shell:priv-lvl=2", Fall-Through = No DEFAULT Group == "radiusview", Auth-Type = System CiscoAVPair = "shell:priv-lvl=1", Fall-Through = No rad_recv: Access-Request packet from host xx.xx.xx.xx:1645, id=30, length=93 User-Name = "rsharpe" User-Password = "*****" Cisco-NAS-Port = "tty226" NAS-Port = 226 NAS-Port-Type = Virtual Calling-Station-Id = "xx.xx.xx.xx" NAS-IP-Address = xx.xx.xx.xx Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "rsharpe", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 users: Matched entry DEFAULT at line 54 modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 modcall[authenticate]: module "unix" returns ok for request 2 modcall: group authenticate returns ok for request 2 Sending Access-Accept of id 30 to xx.xx.xx.xx:1645 Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 30 with timestamp 43304ea1 Nothing to do. Sleeping until we see a request. What I am trying to accomplish is to have to two different unix groups authorized to two different levels. As I'm sure you can see from the configuration I want to have "radiusfull" have access to exec level 2 and "radiusview" have access to exec level 1. I know that the service is working I can login with my unix account to the router. I have seen numerous examples about how to do this, and from what I understand it should work. I also did a packet capture of the communication between the two devices and I did no see any of the AVPairs in the packet data. If someone could help and enlighten me that would be great. THANKS! -- Ryan Sharpe Junior Technical Analyst LARG*net (519) 661-2111 x86356 rsharpe@largnet.on.ca http://www.largnet.on.ca
Am Dienstag, 20. September 2005 20:13 schrieb Ryan Sharpe:
Hello all,
I'm having a problem getting users to default to the right privilege level.
aaa authentication login default group radius local aaa authorization exec default group radius local radius-server host xx.20.xx.xx auth-port 1645 acct-port 1646 radius-server key 7 xxxxxxxxxxxx privilege exec level 2 enable
DEFAULT Group == "radiusfull", Auth-Type = System CiscoAVPair = "shell:priv-lvl=2", Fall-Through = No DEFAULT Group == "radiusview", Auth-Type = System CiscoAVPair = "shell:priv-lvl=1", Fall-Through = No ... I also did a packet capture of the communication between the two devices and I did no see any of the AVPairs in the packet data. If someone could help and enlighten me that would be great. THANKS!
Maybe you should use "Cisco-AVPair" instead of "CiscoAVPair"? Or is "CiscoAVPair" in one of your dictionaries? --Gerald
participants (2)
-
Gerald Krause -
Ryan Sharpe