Need help in setting up RADIUS for Server based AAA

Venu Gopal gopalb007 at yahoo.com
Mon Mar 20 11:48:09 CET 2006 

Hi All, 

I am new to this free -radius usage, wanna setup
radius on my company network for authentication and
defining privilege level access on the network.
I have gone through several mailing lists,docs on free
radius site,  whenever i issue authorization commands
on the router i will be locked out on my NAS. I am
using users file where i want simple authentication
for few users and privilege level access. 

Error condition....

Rmcrad#show ver
Command authorization failed.



Here is the details .

1. radiusd -x 

 radiusd -x
Starting - reading configuration files ...
Using deprecated naslist file.  Support for this will
go away soon.
Module: Loaded exec
rlm_exec: Wait=yes but no output defined. Did you mean
output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded System
Module: Instantiated unix (unix)
Module: Loaded preprocess
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
Module: Instantiated realm (suffix)
Module: Loaded files
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
Module: Instantiated detail (detail)
Module: Loaded radutmp
Module: Instantiated radutmp (radutmp)
Initializing the thread pool...
Listening on authentication *:1645
Listening on accounting *:1646
Ready to process requests.

locally tested AAA for authentication authorization
and accounting on router it works fine.
while authentication works for the defined users in
the users file. checked for /etc/passwd /etc/group
/etc/users in radiusd.conf i am able to login to the
nas it authenticates the users n password .

Users definition
"Arul"         Auth-Type := Local, User-Password ==
"cisco"
               Reply-Message = "Hello, %u",
               cisco-avpair ="shell:priv-lvl=15"


"vdhar"         Auth-Type :=system
                Reply-Message = "Hello, %u",
                cisco-avpair ="shell:priv-lvl=1"

"test"          Auth-Type := Local, User-Password ==
"test123"
                Reply-Message = "Hello, %u",
                cisco-avpair ="shell:priv-lvl=15"



Router Configuration 
aaa new-model
aaa authentication login default group radius local
aaa authentication login NO_AUTHEN none

If i issue any authorization command 
aaa authorization exec local
or
aaa authorization exec default radius

aaa authorization exec default group radius
if-authenticated



radius-server host 172.16.85.135 auth-port 1645
acct-port 1646
radius-server retransmit 3
radius-server key secret

line con 0
 exec-timeout 0 0
 login authentication NO_AUTHEN
 transport input none


line vty 0 4
 exec-timeout 0 0
 password cisco
 

I will be locked out of the router and cannot perform
any task. If any one helps me to figure out whtz the
problem with authorization and any simple
configuration which works out for the server based
authentication  would be highly appreciated. If need
any more information from my side please let me know,
which help you to figure out my problem. Please let me
know if anybody helps me out on live chat on msn/yahoo

Debug logs...

00:56:59: AAA: name=tty68 flags=0x11 type=5 shelf=0
slot=0 adapter=0 port=68 channel=0
00:56:59: AAA/MEMORY: create_user (0x81934100) user=''
ruser='' port='tty68' rem_addr='172.16.85.100
' authen_type=ASCII service=LOGIN priv=1
00:56:59: AAA/AUTHEN/START (169650279): port='tty68'
list='' action=LOGIN service=LOGIN
00:56:59: AAA/AUTHEN/START (169650279): using
"default" list
00:56:59: AAA/AUTHEN/START (169650279): Method=radius
(radius)
00:56:59: AAA/AUTHEN (169650279): status = GETUSER
00:57:07: AAA/AUTHEN/CONT (169650279): continue_login
(user='(undef)')
00:57:07: AAA/AUTHEN (169650279): status = GETUSER
00:57:07: AAA/AUTHEN (169650279): Method=radius
(radius)
00:57:07: AAA/AUTHEN (169650279): status = GETPASS
00:57:09: AAA/AUTHEN/CONT (169650279): continue_login
(user='cisco')
00:57:09: AAA/AUTHEN (169650279): status = GETPASS
00:57:09: AAA/AUTHEN (169650279): Method=radius
(radius)
00:57:29: AAA/AUTHEN (169650279): status = ERROR
00:57:29: AAA/AUTHEN/START (151081203): port='tty68'
list='' action=LOGIN service=LOGIN
00:57:29: AAA/AUTHEN/START (151081203): Restart
00:57:29: AAA/AUTHEN/START (151081203): Method=LOCAL
00:57:29: AAA/AUTHEN (151081203): status = GETPASS
00:57:29: AAA/AUTHEN/CONT (151081203): continue_login
(user='cisco')
00:57:29: AAA/AUTHEN (151081203): status = GETPASS
00:57:29: AAA/AUTHEN/CONT (151081203): Method=LOCAL
00:57:29: AAA/AUTHEN (151081203): status = PASS
00:57:33: AAA/MEMORY: dup_user (0x81B00350)
user='cisco' ruser='' port='tty68'
rem_addr='172.16.85.1
00' authen_type=ASCII service=ENABLE priv=15
source='AAA dup enable'
00:57:33: AAA/AUTHEN/START (3234623993): port='tty68'
list='' action=LOGIN service=ENABLE
00:57:33: AAA/AUTHEN/START (3234623993): non-console
enable - default to enable password
00:57:33: AAA/AUTHEN/START (3234623993): Method=ENABLE
00:57:33: AAA/AUTHEN (3234623993): status = GETPASS
00:57:35: AAA/AUTHEN/CONT (3234623993): continue_login
(user='(undef)')
00:57:35: AAA/AUTHEN (3234623993): status = GETPASS
00:57:35: AAA/AUTHEN/CONT (3234623993): Method=ENABLE
00:57:35: AAA/AUTHEN (3234623993): status = PASS
00:57:35: AAA/MEMORY: free_user (0x81B00350) user=''
ruser='' port='tty68' rem_addr='172.16.85.100'
authen_type=ASCII service=ENABLE priv=15




Regards
Venugopal









__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Freeradius-Users mailing list