freeRADIUS and Cisco switch errors, the server replies but the switch does not seem to authorise the login
David Bradley
bradleydj at gmail.com
Mon Feb 4 17:34:18 CET 2008
Hi, I'm hoping you can help!
I have a server running FreeRADIUS and I'm trying to authorize exec
sessions. If I remove the authorize line in the cisco config the
authentication works fine, but once it starts to authorise it fails.
There are 4 sections here:
relevant parts of the cisco switch The users file, the freeRADIUS log
and the cisco switch log.
The bit that seems to fail is where the cisco switch recieves the
radius reply, it just doesn't act on the reply....
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius
radius-server host 192.168.100.201 auth-port 1812 acct-port 1813 key 7 xxxxxxx
radius-server source-ports 1645-1646
Users-file
DEFAULT Service-Type = shell
Cisco-AVPair = "shell:priv-lvl=15"
-----------------------
rad_recv: Access-Request packet from host 192.168.100.254:1645, id=26, length=82
NAS-IP-Address = 192.168.100.254
NAS-Port = 2
NAS-Port-Type = Virtual
User-Name = "dave"
Calling-Station-Id = "192.168.100.109"
User-Password = "password"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "dave", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched DEFAULT at 153
users: Matched DEFAULT at 228
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module "unix" returns ok for request 0
modcall: group authenticate returns ok for request 0
Login OK: [djbrad2/password] (from client rafmh port 2 cli 192.168.100.109)
Sending Access-Accept of id 26 to 192.168.100.254:1645
Cisco-AVPair = "shell:priv-lvl=15"
Finished request 0
--------
*Mar 1 02:05:01.335: RADIUS(00000000): Send Access-Request to
192.168.100.201:1812 id 1645/26, len 82
*Mar 1 02:05:01.335: RADIUS: authenticator 90 85 F6 37 C3 2C A4 BE -
97 44 D1 81 A4 DD 0F 2D
*Mar 1 02:05:01.335: RADIUS: NAS-IP-Address [4] 6 192.168.100.254
*Mar 1 02:05:01.335: RADIUS: NAS-Port [5] 6 2
*Mar 1 02:05:01.335: RADIUS: NAS-Port-Type [61] 6 Virtual
[5]
*Mar 1 02:05:01.335: RADIUS: User-Name [1] 9 "dave"
*Mar 1 02:05:01.335: RADIUS: Calling-Station-Id [31] 17 "192.168.100.109"
*Mar 1 02:05:01.335: RADIUS: User-Password [2] 18 *
*Mar 1 02:05:01.339: RADIUS: Received from id 1645/26
192.168.100.201:1812, Access-Accept, len 45
*Mar 1 02:05:01.339: RADIUS: authenticator A7 47 9F 4C 58 BC CA A5 -
E5 6B E4 9E 64 9F FB C9
*Mar 1 02:05:01.339: RADIUS: Vendor, Cisco [26] 25
*Mar 1 02:05:01.339: RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"
*Mar 1 02:05:01.343: RADIUS: saved authorization data for user
1DF88C8 at 2238960
*Mar 1 02:05:01.343: tty2 AAA/AUTHOR/EXEC (606283324): Port='tty2'
list='' service=EXEC
*Mar 1 02:05:01.343: AAA/AUTHOR/EXEC: tty2 (606283324) user='djbrad2'
*Mar 1 02:05:01.343: tty2 AAA/AUTHOR/EXEC (606283324): send AV service=shell
*Mar 1 02:05:01.343: tty2 AAA/AUTHOR/EXEC (606283324): send AV cmd*
*Mar 1 02:05:01.343: tty2 AAA/AUTHOR/EXEC (606283324): found list "default"
*Mar 1 02:05:01.343: tty2 AAA/AUTHOR/EXEC (606283324): Method=radius (radius)
*Mar 1 02:05:01.343: RADIUS: cisco AVPair "shell:priv-lvl=15"
*Mar 1 02:05:01.343: RADIUS: no appropriate authorization type for user.
*Mar 1 02:05:01.343: AAA/AUTHOR (606283324): Post authorization status = FAIL
*Mar 1 02:05:01.343: AAA/AUTHOR/EXEC: Authorization FAILED
More information about the Freeradius-Users
mailing list