How to authenticate 3com switch and cisco switch at the same time.
陈锐
chenrui2005 at gmail.com
Mon Oct 17 14:16:59 CEST 2005
hello,
I am a newbie of freeradius.
these days, we are planning to implement radius server for aaa.
Our NAS devices are 3com SuperStack 4400/4900 and cisco
2950/3725/1721. we encounter a problem.
I have been installed freeradius on debian successfully.
We have four guys to administrative our network device
they are aaa,bbb,ccc,ddd.
first of all, aaa and bbb are admin, ccc and ddd are helpdesk.
admin should be granted the read/write privilege of the net device
helpdesk should only be granted the read privilege.
I divided them into four group within linux system.
3com_admin, 3com_monitor, cisco_admin, cisco_monitor
aaa and bbb belongs to 3com_admin and cisco_admin
ccc and ddd belongs to 3com_monitor and cisco_monitor
the /etc/freeradius/users config:
DEFAULT Group == "3com_admin", Auth-Type := System
Login-Service = Telnet,
3Com-User-Access-Level = 3,
DEFAULT Group == "3com_monitor", Auth-Type := System
Login-Service = Telnet,
3Com-User-Access-Level = 1,
this config work fine for me.
and now, I added another two groups, so the /etc/freeradius/users look
like this:
DEFAULT Group == "cisco_admin", Auth-Type := System
Login-Service = Telnet,
Service-Type = Administrative-User,
Cisco-AVPair = "shell:priv-lvl=15"
DEFAULT Group == "cisco_monitor", Auth-Type :=System
Login-Service = Telnet,
Service-Type = Administrative-User,
Cisco-AVPair = "shell:priv-lvl=5"
DEFAULT Group == "3com_admin", Auth-Type := System
Login-Service = Telnet,
3Com-User-Access-Level = 3
DEFAULT Group == "3com_monitor", Auth-Type := System
Login-Service = Telnet,
3Com-User-Access-Level = 1
The problem occured.
When I login cisco switch with "aaa", it works, but when I use "aaa"
to login 3com's switch, it failed. because of the reply message were
come from the first DEFAULT segment attributes.
that is:
Sending Access-Accept of id 22 to 192.168.100.20:2049
Login-Service = Telnet
Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=15"
so, 3com switch can not parse the cisco-avpair, then failed.
the following is freeradius -X
.....
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.100.20:2049, id=22, length=87
User-Name = "aaa"
User-Password = "aaa"
NAS-Port-Type = Virtual
NAS-IP-Address = 192.168.100.20
Service-Type = Administrative-User
Framed-MTU = 1024
Message-Authenticator = 0xe52d4010d86eb2cb0f00fefaa251006c
rad_rmspace_pair: User-Password now 'aaa'
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "aaa", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 75
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module "unix" returns ok for request 0
modcall: group authenticate returns ok for request 0
Sending Access-Accept of id 22 to 192.168.100.20:2049
Login-Service = Telnet
Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=15"
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 7 seconds...
.....
any suggestion will be welcome.
thanks in advance.
More information about the Freeradius-Users
mailing list