Freeradius and Cisco (cisco-avpair = "shell:priv-lvl=15" doesn't work)

Simo admin at mix4web.de
Fri Jul 11 10:58:45 CEST 2008 

hello Mailing-List,

i'm trying to do the authentication of cisco cat switches with the
freeradius. The Authentication works fine, also the authentication of
the enable lvl mode (e.g. $enab15$) and the accounting too (the
configuration is from the freeradius-wiki cisco artical). 
But i'm still having a problem with cisco-avpair attribute. I don't know
why shell:priv-lvl=15 doesn't work. I want, that the user will be
directly logged in to the priv-lvl without doing the enable
authentication.

i'm using the Version 1.1.7 of Radius (Debian Package)
and here ist my configuration (i have switched from sql database to
files for debugging ):

admin   Cleartext-Password := "pass"
                Service-Type = NAS-Prompt-User,
                cisco-avpair = "shell:priv-lvl=15"

and hier is the debugging output of freeradius (freeradius -X):

rad_recv: Access-Request packet from host 192.168.178.2:1812, id=23,
length=90
        NAS-IP-Address = 192.168.178.2
        NAS-Port = 2
        Cisco-NAS-Port = "tty2"
        NAS-Port-Type = Virtual
        User-Name = "admin"
        Calling-Station-Id = "192.168.178.3"
        User-Password = "pass"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "admin", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched entry admin at line 64
  modcall[authorize]: module "files" returns ok for request 0
radius_xlat:  'admin'
rlm_sql (sql): sql_set_user escaped user --> 'admin'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM
radcheck
           WHERE Username = 'admin'           ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): User admin not found in radcheck
radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Att
ribute,radgroupcheck.Value,radgroupcheck.op  FROM
radgroupcheck,usergroup WHERE
usergroup.Username = 'admin' AND usergroup.GroupName =
radgroupcheck.GroupName O
RDER BY radgroupcheck.id'
radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Att
ribute,radgroupreply.Value,radgroupreply.op  FROM
radgroupreply,usergroup WHERE
usergroup.Username = 'admin' AND usergroup.GroupName =
radgroupreply.GroupName O
RDER BY radgroupreply.id'
rlm_sql (sql): User admin not found in radgroupcheck
rlm_sql (sql): Released sql socket id: 3
rlm_sql (sql): User not found
  modcall[authorize]: module "sql" returns notfound for request 0
  modcall[authorize]: module "pap" returns updated for request 0
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
  modcall[authorize]: module "noresetcounter" returns noop for request 0
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
  modcall[authorize]: module "dailycounter" returns noop for request 0
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
  modcall[authorize]: module "monthlycounter" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
  rad_check_password:  Found Auth-Type pap
auth: type "PAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group PAP for request 0
rlm_pap: login attempt with password pass
rlm_pap: Using clear text password "pass".
rlm_pap: User authenticated successfully
  modcall[authenticate]: module "pap" returns ok for request 0
modcall: leaving group PAP (returns ok) for request 0
Sending Access-Accept of id 23 to 192.168.178.2 port 1812
        Service-Type = NAS-Prompt-User
        Cisco-AVPair = "shell:priv-lvl=15"
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 23 with timestamp 48771d94
Nothing to do.  Sleeping until we see a request.


And here is the the debuging ouput of the switch:

03:27:12: AAA: parse name=tty3 idb type=-1 tty=-1
03:27:12: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0
port=3 channel=0
03:27:12: AAA/MEMORY: create_user (0x80BAD274) user='' ruser=''
port='tty3' rem_addr='192.168.178.3' authen_type=ASCII service=LOGIN
priv=1
03:27:12: AAA/AUTHEN/START (2153705482): port='tty3' list=''
action=LOGIN service=LOGIN
03:27:12: AAA/AUTHEN/START (2153705482): using "default" list
03:27:12: AAA/AUTHEN/START (2153705482): Method=radius (radius)
03:27:12: AAA/AUTHEN (2153705482): status = GETUSER
03:27:16: AAA/AUTHEN/CONT (2153705482): continue_login (user='(undef)')
03:27:16: AAA/AUTHEN (2153705482): status = GETUSER
03:27:16: AAA/AUTHEN (2153705482): Method=radius (radius)
03:27:16: AAA/AUTHEN (2153705482): status = GETPASS
03:27:17: AAA/AUTHEN/CONT (2153705482): continue_login (user='admin')
03:27:17: AAA/AUTHEN (2153705482): status = GETPASS
03:27:17: AAA/AUTHEN (2153705482): Method=radius (radius)
03:27:17: AAA/AUTHEN (2153705482): status = PASS


i hope, you kann help me
thnx

Simo

More information about the Freeradius-Users mailing list