Privileged Login on CISCO using freeradius and MySQL [Virus checked]

thomas.pudil at t-mobile.at thomas.pudil at t-mobile.at
Thu May 11 11:18:11 CEST 2006 

Hi again,

>The priv lvl I use in my users file is:
>
>        Cisco-AVPair := "shell:priv-lvl=1"
>
>Debug output would help determine what isn't working.
>
>Kevin Bonner

here is a debug from my radius-server:

rad_recv: Access-Request packet from host 10.0.2.241:1645, id=9, length=76
        NAS-IP-Address = 213.162.69.58
        NAS-Port = 2
        NAS-Port-Type = Virtual
        User-Name = "pudilt"
        Calling-Station-Id = "10.0.2.242"
        User-Password = "1234"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
Invalid operator for item Suffix: reverting to '=='
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "pudilt", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
radius_xlat:  'pudilt'
rlm_sql (sql): sql_set_user escaped user --> 'pudilt'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'pudilt' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 1
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'pudilt' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'pudilt' ORDER BY id'
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  FROM radgroupreply,usergroup WHERE usergroup.Username = 'pudilt' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 1
  modcall[authorize]: module "sql" returns ok for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
modcall: leaving group authorize (returns ok) for request 2
  rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [pudilt] (from client xdsl-ag-RouA port 2 cli 10.0.2.242)
Sending Access-Accept of id 9 to 10.0.2.241 port 1645
        Service-Type = NAS-Prompt-User
        Cisco-AVPair = "shell:priv-lvl=15"
        Login-Service = Telnet
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 9 with timestamp 44630dd5
Nothing to do.  Sleeping until we see a request.


And this is what I see on the Cisco:

02:52:14: AAA: parse name=tty2 idb type=-1 tty=-1
02:52:14: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2
channel=0
02:52:14: AAA/MEMORY: create_user (0x62135CF4) user='' ruser='' port='tty2'
rem_addr='10.0.2.242' authen_type=ASCII service=LOGIN priv=1
02:52:14: AAA/AUTHEN/START (728290868): port='tty2'
list='adminauthenticate' action=LOGIN service=LOGIN
02:52:14: AAA/AUTHEN/START (728290868): found list adminauthenticate
02:52:14: AAA/AUTHEN/START (728290868): Method=radius (radius)
02:52:14: AAA/AUTHEN (728290868): status = GETUSER
02:52:17: AAA/AUTHEN/CONT (728290868): continue_login (user='(undef)')
02:52:17: AAA/AUTHEN (728290868): status = GETUSER
02:52:17: AAA/AUTHEN (728290868): Method=radius (radius)
02:52:17: AAA/AUTHEN (728290868): status = GETPASS
02:52:18: AAA/AUTHEN/CONT (728290868): continue_login (user='pudilt')
02:52:18: AAA/AUTHEN (728290868): status = GETPASS
02:52:18: AAA/AUTHEN (728290868): Method=radius (radius)
02:52:18: RADIUS: ustruct sharecount=1
02:52:18: RADIUS: Initial Transmit tty2 id 9 172.31.95.162:1812,
Access-Request, len 76
02:52:18:         Attribute 4 6 D5A2453A
02:52:18:         Attribute 5 6 00000002
02:52:18:         Attribute 61 6 00000005
02:52:18:         Attribute 1 8 70756469
02:52:18:         Attribute 31 12 31302E30
02:52:18:         Attribute 2 18 C8B57C52
02:52:18: RADIUS: Received from id 9 172.31.95.162:1812, Access-Accept, len
57
02:52:18:         Attribute 6 6 00000007
02:52:18:         Attribute 26 25 0000000901137368
02:52:18:         Attribute 15 6 00000000
02:52:18: RADIUS: saved authorization data for user 62135CF4 at 6207B1DC
02:52:18: AAA/AUTHEN (728290868): status = PASS


So the Cisco DOES receive the attributes in the reply packet, but obviously
ignores them??
So now I dont know - is the problem on the NAS side, or is there a config
failure on the radius-side (I do not blame freeradius - I know if its the
radius, its a config mistake!)


thank you
thomas

More information about the Freeradius-Users mailing list