Cisco AVpairs again.
Ivan Kalik
tnt at kalik.net
Tue Mar 4 11:34:37 CET 2008
Ah, there is no Service-Type in your reply. It should be Service-Type =
NAS-Prompt-User. Service type should be in the request too so make sure
it is this one.
Ivan Kalik
Kalik Informatika ISP
Dana 4/3/2008, "David Bell" <David.Bell at dxi.net> piše:
>Thanks for the raply Ivan - sorry to keep dragging this up.
>
>I have another user configured as lvl 15 - heres the output from freeRADIUS
>
>Login OK: [tom/pass1] (from client 212.95.252.0/24 port 0)
>Sending Access-Accept of id 13 to 212.95.252.25 port 43419
> Reply-Message = "You now have level 15 access as part of the SMC
>Group\n"
> Cisco-AVPair = "shell:priv-lvl=15"
>Finished request 1.
>
>And on the cisco
>
>Username: tom
>Password:
>You now have level 15 access as part of the SMC Group
>
>
>Switch>
>16:46:33: RADIUS: Pick NAS IP for u=0x3C8D3A0 tableid=0 cfg_addr=0.0.00
>16:46:33: RADIUS: ustruct sharecount=1
>16:46:33: Radius: radius_port_info() success=1 radius_nas_port=1
>16:46:33: RADIUS: added cisco VSA 2 len 4 "tty0"
>16:46:33: RADIUS: Received from id 1645/13 212.95.255.242:1812,
>Access-Accept, len 101
>16:46:33: RADIUS: saved authorization data for user 3C8D3A0 at 3D46150
>Switch>sh priv
>Current privilege level is 1
>
>heres the AAA config of the Cisco
>
>aaa new-model
>aaa authentication login default group radius local
>aaa authentication login radius-login group radius local
>aaa authorization exec default none
>aaa authorization network default group radius none
>
>and the RADIUS config
>
>radius-server host 212.95.255.242 auth-port 1812 acct-port 1813 timeout 3
>retransmit 3 key testing
>radius-server source-ports 1645-1646
>radius-server vsa send accounting
>radius-server vsa send authentication
>
>Thanks again
>
>David
>
>
>
>
>
>-----Original Message-----
>From: Ivan Kalik [mailto:tnt at kalik.net]
>Sent: 04 March 2008 09:58
>To: FreeRadius users mailing list
>Subject: Re: Cisco AVpairs again.
>
>
>Have you configured that priv level? Only 1 and 15 are configured by
>default.
>
>Ivan Kalik
>Kalik Informatika ISP
>
>
>Dana 4/3/2008, "David Bell" <David.Bell at dxi.net> piše:
>
>>Hi folks, same david Bell, different email address :)
>>
>>Well I now have RADIUS and Cisco working pretty much as I want.
>>
>>However it seems to be passing the AVPair stuff back, but the Cisco doesnt
>>seem to recognise it.
>>
>>Where have I gone wrong.
>>
>>My Users file has the following
>>
>>DEFAULT Ldap-Group == "SMC7", Auth-Type := Accept
>> Reply-Message = "You now have level 7 access as part of the SMC
>>Group\n",
>> cisco-avpair = "shell:priv-lvl=7"
>>
>>When I log in I see freeRADIUS reply with the relevent parts
>>
>>++[ldap] returns ok
>>++[expiration] returns noop
>>++[logintime] returns noop
>>rlm_pap: Found existing Auth-Type, not changing it.
>>++[pap] returns noop
>> rad_check_password: Found Auth-Type Accept
>> rad_check_password: Auth-Type = Accept, accepting the user
>>Login OK: [bob/pass1] (from client 212.95.252.0/24 port 0)
>>Sending Access-Accept of id 10 to 212.95.252.25 port 39111
>> Reply-Message = "You now have level 7 access as part of the SMC
>>Group\n"
>> Cisco-AVPair = "shell:priv-lvl=7"
>>Finished request 0.
>>Going to the next request
>>Waking up in 0.9 seconds.
>>Waking up in 4.0 seconds.
>>Cleaning up request 0 ID 10 with timestamp +7
>>Ready to process requests.
>>
>>With verbose RADIUS debugging on the Cisco
>>
>>Username: bob
>>Password:
>>You now have level 7 access as part of the SMC Group
>>
>>
>>Switch>
>>16:10:20: RADIUS: Pick NAS IP for u=0x3C8D5F8 tableid=0 cfg_addr=0.0.00
>>16:10:20: RADIUS: ustruct sharecount=1
>>16:10:20: Radius: radius_port_info() success=1 radius_nas_port=1
>>16:10:20: RADIUS: added cisco VSA 2 len 4 "tty0"
>>16:10:20: RADIUS: Received from id 1645/10 212.95.255.242:1812,
>>Access-Accept, len 99
>>16:10:20: RADIUS: saved authorization data for user 3C8D5F8 at 3CD2348
>>
>>When I ask the cisco for the current privilege level
>>
>>Switch>show priv
>>Current privilege level is 1
>>
>>Anyone got any pointers?
>>
>>David
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>-
>>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>>
>>
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list