freeRADIUS and Cisco switch errors, the server replies but the switch does not seem to authorise the login

Bjørn Mork bjorn at
Mon Feb 4 19:31:01 CET 2008

"David Bradley" <bradleydj at> writes:

> I did try changing 'shell' to NAS-Prompt-User and Login, neither made any
> difference, but I have not tried Administrative-User..

Ah, sorry I wasn't more precise.  I meant changing the replylist from 
   Cisco-AVPair = "shell:priv-lvl=15"
   Service-Type := Administrative-User

These should be equivalent:

DEFAULT Service-Type == NAS-Prompt-User
        Service-Type := NAS-Prompt-User,
        Cisco-AVPair += "shell:priv-lvl=15"

DEFAULT Service-Type == NAS-Prompt-User
        Service-Type := Administrative-User

Note that "Service-Type == NAS-Prompt-User" in FreeRADIUS is what Cisco
refers to as "service = shell".  See share/freeradius/dictionary.rfc2865
and compare the values with e.g.


More information about the Freeradius-Users mailing list