Cisco Privilege Level

Ryan Sharpe rsharpe at largnet.on.ca
Tue Sep 20 20:13:31 CEST 2005 

Hello all,

I'm having a problem getting users to default to the right privilege level.

aaa authentication login default group radius local
aaa authorization exec default group radius local
radius-server host xx.20.xx.xx auth-port 1645 acct-port 1646
radius-server key 7 xxxxxxxxxxxx
privilege exec level 2 enable

DEFAULT Group == "radiusfull", Auth-Type = System
        CiscoAVPair = "shell:priv-lvl=2",
        Fall-Through = No
DEFAULT Group == "radiusview", Auth-Type = System
        CiscoAVPair = "shell:priv-lvl=1",
        Fall-Through = No

rad_recv: Access-Request packet from host xx.xx.xx.xx:1645, id=30, length=93
        User-Name = "rsharpe"
        User-Password = "*****"
        Cisco-NAS-Port = "tty226"
        NAS-Port = 226
        NAS-Port-Type = Virtual
        Calling-Station-Id = "xx.xx.xx.xx"
        NAS-IP-Address = xx.xx.xx.xx
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "rsharpe", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
    users: Matched entry DEFAULT at line 54
  modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns ok for request 2
  rad_check_password:  Found Auth-Type System
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  modcall[authenticate]: module "unix" returns ok for request 2
modcall: group authenticate returns ok for request 2
Sending Access-Accept of id 30 to xx.xx.xx.xx:1645
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 30 with timestamp 43304ea1
Nothing to do.  Sleeping until we see a request.


What I am trying to accomplish is to have to two different unix groups 
authorized to two different levels. As I'm sure you can see from the 
configuration I want to have "radiusfull" have access to exec level 2 
and "radiusview" have access to exec level 1. I know that the service is 
working I can login with my unix account to the router. I have seen 
numerous examples about how to do this, and from what I understand it 
should work. I also did a packet capture of the communication between 
the two devices and I did no see any of the AVPairs in the packet data. 
If someone could help and enlighten me that would be great. THANKS!

-- 
Ryan Sharpe
Junior Technical Analyst
LARG*net
(519) 661-2111 x86356
rsharpe at largnet.on.ca
http://www.largnet.on.ca

More information about the Freeradius-Users mailing list