Cisco AVpairs again.

David Bell David.Bell at dxi.net
Tue Mar 4 10:34:38 CET 2008


Hi folks, same david Bell, different email address :)

Well I now have RADIUS and Cisco working pretty much as I want.

However it seems to be passing the AVPair stuff back, but the Cisco doesnt
seem to recognise it.

Where have I gone wrong.

My Users file has the following

DEFAULT Ldap-Group == "SMC7", Auth-Type := Accept
    Reply-Message = "You now have level 7 access as part of the SMC
Group\n",
    cisco-avpair = "shell:priv-lvl=7"

When I log in I see freeRADIUS reply with the relevent parts

++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type Accept
  rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [bob/pass1] (from client 212.95.252.0/24 port 0)
Sending Access-Accept of id 10 to 212.95.252.25 port 39111
        Reply-Message = "You now have level 7 access as part of the SMC
Group\n"
        Cisco-AVPair = "shell:priv-lvl=7"
Finished request 0.
Going to the next request
Waking up in 0.9 seconds. 
Waking up in 4.0 seconds. 
Cleaning up request 0 ID 10 with timestamp +7
Ready to process requests.

With verbose RADIUS debugging on the Cisco

Username: bob
Password: 
You now have level 7 access as part of the SMC Group


Switch>
16:10:20: RADIUS: Pick NAS IP for u=0x3C8D5F8 tableid=0 cfg_addr=0.0.0.0
16:10:20: RADIUS: ustruct sharecount=1
16:10:20: Radius: radius_port_info() success=1 radius_nas_port=1
16:10:20: RADIUS: added cisco VSA 2 len 4 "tty0"
16:10:20: RADIUS: Received from id 1645/10 212.95.255.242:1812,
Access-Accept, len 99
16:10:20: RADIUS: saved authorization data for user 3C8D5F8 at 3CD2348

When I ask the cisco for the current privilege level

Switch>show priv
Current privilege level is 1

Anyone got any pointers?

David












More information about the Freeradius-Users mailing list