Cisco AVpairs again.

David Bell David.Bell at dxi.net
Tue Mar 4 12:10:30 CET 2008


Not sure if you mean the Server or the router - so hers both - router 1st
 


Username: tom
Password: 
You now have level 15 access as part of the SMC Group


Switch>
17:47:10: RADIUS: Pick NAS IP for u=0x3C8D630 tableid=0 cfg_addr=0.0.0.0
17:47:10: RADIUS: ustruct sharecount=1
17:47:10: Radius: radius_port_info() success=1 radius_nas_port=1
17:47:10: RADIUS: added cisco VSA 2 len 4 "tty0"
17:47:10: RADIUS: Received from id 1645/20 212.95.255.242:1812,
Access-Accept, len 107
17:47:10: RADIUS: saved authorization data for user 3C8D630 at 33E3448



Now server



Ready to process requests.
rad_recv: Access-Request packet from host 212.95.252.25 port 49365, id=20,
length=73
        NAS-IP-Address = 10.10.11.78
        NAS-Port = 0
        Cisco-NAS-Port = "tty0"
        NAS-Port-Type = Async
        User-Name = "tom"
        User-Password = "pass1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "tom", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
rlm_ldap: Entering ldap_groupcmp()
        expand: dc=dxi,dc=net -> dc=dxi,dc=net
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
        expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=tom)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=tom)
rlm_ldap: ldap_release_conn: Release Id: 0
        expand: (&(objectClass=GroupOfNames)(member=
uid=%{User-Name},ou=people,dc=dxi,dc=net)) ->
(&(objectClass=GroupOfNames)(member= uid=tom,ou=people,dc=dxi,dc=net))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=dxi,dc=net, with filter
(&(cn=Operations)(&(objectClass=GroupOfNames)(member=
uid=tom,ou=people,dc=dxi,dc=net)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=tom,ou=people,dc=dxi,dc=net, with filter
(objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
        expand: dc=dxi,dc=net -> dc=dxi,dc=net
        expand: (&(objectClass=GroupOfNames)(member=
uid=%{User-Name},ou=people,dc=dxi,dc=net)) ->
(&(objectClass=GroupOfNames)(member= uid=tom,ou=people,dc=dxi,dc=net))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=dxi,dc=net, with filter
(&(cn=Engineering)(&(objectClass=GroupOfNames)(member=
uid=tom,ou=people,dc=dxi,dc=net)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=tom,ou=people,dc=dxi,dc=net, with filter
(objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
        expand: dc=dxi,dc=net -> dc=dxi,dc=net
        expand: (&(objectClass=GroupOfNames)(member=
uid=%{User-Name},ou=people,dc=dxi,dc=net)) ->
(&(objectClass=GroupOfNames)(member= uid=tom,ou=people,dc=dxi,dc=net))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=dxi,dc=net, with filter
(&(cn=Networks)(&(objectClass=GroupOfNames)(member=
uid=tom,ou=people,dc=dxi,dc=net)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=tom,ou=people,dc=dxi,dc=net, with filter
(objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
        expand: dc=dxi,dc=net -> dc=dxi,dc=net
        expand: (&(objectClass=GroupOfNames)(member=
uid=%{User-Name},ou=people,dc=dxi,dc=net)) ->
(&(objectClass=GroupOfNames)(member= uid=tom,ou=people,dc=dxi,dc=net))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=dxi,dc=net, with filter
(&(cn=SMC7)(&(objectClass=GroupOfNames)(member=
uid=tom,ou=people,dc=dxi,dc=net)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=tom,ou=people,dc=dxi,dc=net, with filter
(objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
        expand: dc=dxi,dc=net -> dc=dxi,dc=net
        expand: (&(objectClass=GroupOfNames)(member=
uid=%{User-Name},ou=people,dc=dxi,dc=net)) ->
(&(objectClass=GroupOfNames)(member= uid=tom,ou=people,dc=dxi,dc=net))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=dxi,dc=net, with filter
(&(cn=SMC15)(&(objectClass=GroupOfNames)(member=
uid=tom,ou=people,dc=dxi,dc=net)))
rlm_ldap::ldap_groupcmp: User found in group SMC15
rlm_ldap: ldap_release_conn: Release Id: 0
    users: Matched entry DEFAULT at line 223
++[files] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for tom
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
        expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=tom)
        expand: dc=dxi,dc=net -> dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=tom)
rlm_ldap: Added User-Password = {crypt}WHIENXhDRSQLE in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user tom authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type Accept
  rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [tom/pass1] (from client 212.95.252.0/24 port 0)
Sending Access-Accept of id 20 to 212.95.252.25 port 49365
        Service-Type = NAS-Prompt-User
        Reply-Message = "You now have level 15 access as part of the SMC
Group\n"
        Cisco-AVPair = "shell:priv-lvl=15"
Finished request 0.
Going to the next request
Waking up in 0.9 seconds. 
Waking up in 3.9 seconds. 
Cleaning up request 0 ID 20 with timestamp +6



Thanks

David


-----Original Message-----
From: Ivan Kalik [mailto:tnt at kalik.net]
Sent: 04 March 2008 10:53
To: FreeRadius users mailing list
Subject: RE: Cisco AVpairs again.


It should be in the request. Post the whole debug with the request.

Ivan Kalik
Kalik Informatika ISP


Dana 4/3/2008, "David Bell" <David.Bell at dxi.net> piše:

>Added that, no difference.
>
>How do I put it in the request too?
>
>Thanks
>
>David
>
>-----Original Message-----
>From: Ivan Kalik [mailto:tnt at kalik.net]
>Sent: 04 March 2008 10:35
>To: FreeRadius users mailing list
>Subject: RE: Cisco AVpairs again.
>
>
>Ah, there is no Service-Type in your reply. It should be Service-Type =
>NAS-Prompt-User. Service type should be in the request too so make sure
>it is this one.
>
>Ivan Kalik
>Kalik Informatika ISP
>
>
>Dana 4/3/2008, "David Bell" <David.Bell at dxi.net> piše:
>
>>Thanks for the raply Ivan - sorry to keep dragging this up.
>>
>>I have another user configured as lvl 15 - heres the output from
freeRADIUS
>>
>>Login OK: [tom/pass1] (from client 212.95.252.0/24 port 0)
>>Sending Access-Accept of id 13 to 212.95.252.25 port 43419
>>        Reply-Message = "You now have level 15 access as part of the SMC
>>Group\n"
>>        Cisco-AVPair = "shell:priv-lvl=15"
>>Finished request 1.
>>
>>And on the cisco
>>
>>Username: tom
>>Password: 
>>You now have level 15 access as part of the SMC Group
>>
>>
>>Switch>
>>16:46:33: RADIUS: Pick NAS IP for u=0x3C8D3A0 tableid=0 cfg_addr=0.0.00
>>16:46:33: RADIUS: ustruct sharecount=1
>>16:46:33: Radius: radius_port_info() success=1 radius_nas_port=1
>>16:46:33: RADIUS: added cisco VSA 2 len 4 "tty0"
>>16:46:33: RADIUS: Received from id 1645/13 212.95.255.242:1812,
>>Access-Accept, len 101
>>16:46:33: RADIUS: saved authorization data for user 3C8D3A0 at 3D46150
>>Switch>sh priv
>>Current privilege level is 1
>>
>>heres the AAA config of the Cisco
>>
>>aaa new-model
>>aaa authentication login default group radius local
>>aaa authentication login radius-login group radius local
>>aaa authorization exec default none 
>>aaa authorization network default group radius none 
>>
>>and the RADIUS config
>>
>>radius-server host 212.95.255.242 auth-port 1812 acct-port 1813 timeout 3
>>retransmit 3 key testing
>>radius-server source-ports 1645-1646
>>radius-server vsa send accounting
>>radius-server vsa send authentication
>>
>>Thanks again
>>
>>David
>>
>>
>>
>>
>>
>>-----Original Message-----
>>From: Ivan Kalik [mailto:tnt at kalik.net]
>>Sent: 04 March 2008 09:58
>>To: FreeRadius users mailing list
>>Subject: Re: Cisco AVpairs again.
>>
>>
>>Have you configured that priv level? Only 1 and 15 are configured by
>>default.
>>
>>Ivan Kalik
>>Kalik Informatika ISP
>>
>>
>>Dana 4/3/2008, "David Bell" <David.Bell at dxi.net> piše:
>>
>>>Hi folks, same david Bell, different email address :)
>>>
>>>Well I now have RADIUS and Cisco working pretty much as I want.
>>>
>>>However it seems to be passing the AVPair stuff back, but the Cisco
doesnt
>>>seem to recognise it.
>>>
>>>Where have I gone wrong.
>>>
>>>My Users file has the following
>>>
>>>DEFAULT Ldap-Group == "SMC7", Auth-Type := Accept
>>>    Reply-Message = "You now have level 7 access as part of the SMC
>>>Group\n",
>>>    cisco-avpair = "shell:priv-lvl=7"
>>>
>>>When I log in I see freeRADIUS reply with the relevent parts
>>>
>>>++[ldap] returns ok
>>>++[expiration] returns noop
>>>++[logintime] returns noop
>>>rlm_pap: Found existing Auth-Type, not changing it.
>>>++[pap] returns noop
>>>  rad_check_password:  Found Auth-Type Accept
>>>  rad_check_password: Auth-Type = Accept, accepting the user
>>>Login OK: [bob/pass1] (from client 212.95.252.0/24 port 0)
>>>Sending Access-Accept of id 10 to 212.95.252.25 port 39111
>>>        Reply-Message = "You now have level 7 access as part of the SMC
>>>Group\n"
>>>        Cisco-AVPair = "shell:priv-lvl=7"
>>>Finished request 0.
>>>Going to the next request
>>>Waking up in 0.9 seconds.
>>>Waking up in 4.0 seconds.
>>>Cleaning up request 0 ID 10 with timestamp +7
>>>Ready to process requests.
>>>
>>>With verbose RADIUS debugging on the Cisco
>>>
>>>Username: bob
>>>Password:
>>>You now have level 7 access as part of the SMC Group
>>>
>>>
>>>Switch>
>>>16:10:20: RADIUS: Pick NAS IP for u=0x3C8D5F8 tableid=0 cfg_addr=0.000
>>>16:10:20: RADIUS: ustruct sharecount=1
>>>16:10:20: Radius: radius_port_info() success=1 radius_nas_port=1
>>>16:10:20: RADIUS: added cisco VSA 2 len 4 "tty0"
>>>16:10:20: RADIUS: Received from id 1645/10 212.95.255.242:1812,
>>>Access-Accept, len 99
>>>16:10:20: RADIUS: saved authorization data for user 3C8D5F8 at 3CD2348
>>>
>>>When I ask the cisco for the current privilege level
>>>
>>>Switch>show priv
>>>Current privilege level is 1
>>>
>>>Anyone got any pointers?
>>>
>>>David
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>-
>>>List info/subscribe/unsubscribe? See
>>http://www.freeradius.org/list/users.html
>>>
>>>
>>
>>-
>>List info/subscribe/unsubscribe? See
>>http://www.freeradius.org/list/users.html
>>
>>
>> 
>>
>>-
>>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>>
>>
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list