Freeradius and Cisco (cisco-avpair = "shell:priv-lvl=15"doesn't work)

David Mitchell mitchell at ucar.edu
Fri Jul 11 17:05:35 CEST 2008


Ivan Kalik wrote:
> You need to have a look at switch radius documentation to see which
> Service -Type are you suposed to return. Administrative-User?

This is IOS, correct? You need to add
'aaa authorization exec default group radius none'
to your config or else the switch will ignore your
higher access level attributes. In my experience, you can set either the
Service-Type or the cisco av-pair. There is no need to set both.

-David Mitchell

> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> 
> Dana 11/7/2008, "Simo" <admin at mix4web.de> piše:
> 
>> On Fr, 2008-07-11 at 10:38 +0100, Ivan Kalik wrote:
>>> Cisco-NAS-Port = "tty2"
>> Thnx for your reply. I have setting the NAS-Port to tty2 but i'm still
>> having the same Problem.
>> And here is the reply of switch (priv=1 was requested):
>>
>> ďťż04:25:06: AAA: parse name=tty2 idb type=-1 tty=-1
>> 04:25:06: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0
>> port=2 channel=0
>> 04:25:06: AAA/MEMORY: create_user (0x80D37CDC) user='' ruser=''
>> port='tty2' rem_addr='192.168.178.3' authen_type=ASCII service=LOGIN
>> priv=1
>> 04:25:06: AAA/AUTHEN/START (4223102353): port='tty2' list=''
>> action=LOGIN service=LOGIN
>> 04:25:06: AAA/AUTHEN/START (4223102353): using "default" list
>> 04:25:06: AAA/AUTHEN/START (4223102353): Method=radius (radius)
>> 04:25:06: AAA/AUTHEN (4223102353): status = GETUSER
>> 04:25:11: AAA/AUTHEN/CONT (4223102353): continue_login (user='(undef)')
>> 04:25:11: AAA/AUTHEN (4223102353): status = GETUSER
>> 04:25:11: AAA/AUTHEN (4223102353): Method=radius (radius)
>> 04:25:11: AAA/AUTHEN (4223102353): status = GETPASS
>> 04:25:12: AAA/AUTHEN/CONT (4223102353): continue_login (user='admin')
>> 04:25:12: AAA/AUTHEN (4223102353): status = GETPASS
>> 04:25:12: AAA/AUTHEN (4223102353): Method=radius (radius)
>> 04:25:12: AAA/AUTHEN (4223102353): status = PASS
>>
>> thnx for help
>> Simo
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
-----------------------------------------------------------------
| David Mitchell (mitchell at ucar.edu)       Network Engineer IV  |
| Tel: (303) 497-1845                      National Center for  |
| FAX: (303) 497-1818                      Atmospheric Research |
-----------------------------------------------------------------



More information about the Freeradius-Users mailing list