Freeradius and Cisco (cisco-avpair = "shell:priv-lvl=15" doesn't work)

Alan DeKok aland at
Fri Jul 11 11:17:50 CEST 2008

Simo wrote:
> i'm trying to do the authentication of cisco cat switches with the
> freeradius. The Authentication works fine, also the authentication of
> the enable lvl mode (e.g. $enab15$) and the accounting too (the
> configuration is from the freeradius-wiki cisco artical). 
> But i'm still having a problem with cisco-avpair attribute. I don't know
> why shell:priv-lvl=15 doesn't work. I want, that the user will be
> directly logged in to the priv-lvl without doing the enable
> authentication.

  Read the switch documentation to see what RADIUS attributes it expects
to see in the response, in order to enable admin login access.

> i'm using the Version 1.1.7 of Radius (Debian Package)
> and here ist my configuration (i have switched from sql database to
> files for debugging ):
> admin   Cleartext-Password := "pass"
>                 Service-Type = NAS-Prompt-User,
>                 cisco-avpair = "shell:priv-lvl=15"

  That doesn't look right.  You probably want "Service-Type = Login-User".

  Again, this is documented in the switch manual.

  Alan DeKok.

More information about the Freeradius-Users mailing list