FW: Free Radius & Cisco
freeradius at corwyn.net
freeradius at corwyn.net
Thu Dec 3 02:47:04 CET 2009
DEFAULT Huntgroup-Name == Cisco_Huntgroup,
Auth-Type:=ntlm_auth, Ldap-Group == "HelpDesk"
Service-Type:=NAS-Prompt-User,
cisco-avpair:="shell:priv-lvl=1",
Reply-Message := "Authorized Users Only"
is what I'm using. Change priv-lvl to 15 for enable
Rick
At 07:03 PM 12/2/2009, Johnston, Ian wrote:
>Content-Class: urn:content-classes:message
>Content-Type: multipart/alternative;
> boundary="----_=_NextPart_001_01CA73AC.1AC44E3C"
>
>Hi,
>
>Thanks for Free Radius Im confident it will be just what we need.
>
>I have set it up on a Dell DL360 G5 running
>CentOS 2.3 and created simple clients.conf,
>raddb.conf and users files. Radtest and logins
>from a couple of clients are working well.
>However, when I try to move up from the absolute
>basics, e.g. to give my user who telnets to a
>Cisco switch an enabled priveledge leval it just
>doesnt work: the user logons OK but is still at
>the plain command prompt. Im sure its
>something simple Ive missed and Id be grateful
>if you could give me any pointers.
>
>Ive looked through the mailing-list archive,
>and although one question is exactly the same
>Freeradius and Cisco (cisco-avpair =
>"shell:priv-lvl=15" doesn't work) I seem to have
>everything they have suggested in the answers?
>
>Thanks in advance for your help.
>
>
>
>Regards,
>
>Ian
>
>
>
>Here are some cuts from various files:
>
>Switch Config
>
>aaa authentication login nocusers group radius
>
>aaa authorization exec nocusers group radius
>
>aaa session-id common
>
>radius-server host 10.210.27.4 auth-port 1645 acct-port 1646
>
>radius-server source-ports 1645-1646
>
>line vty 0 4
>
> exec-timeout 60 0
>
> login authentication nocusers
>
>
>
>
>
>
>
>
>
>users
>
>dan Cleartext-Password := "password"
>
> Reply-Message = "Hello, %{User-Name}",
>
> Service-Type = Administrative-user,
>
> cisco-avpair = "shell:priv-lvl=15"
>
>
>
>ipj Cleartext-Password := "password"
>
> Reply-Message = "Hello, %{User-Name}",
>
> Service-Type = NAS-Prompt-User,
>
> cisco-avpair = "shell:priv-lvl=15"
>
>
>
>I also tried:
>
>dan Cleartext-Password := "password",
>Service-Type = Administrative-user, cisco-avpair = "shell:priv-lvl=15"
>
> Reply-Message = "Hello, %{User-Name}",
>
> Service-Type = Administrative-user,
>
>
>
>and
>
>dan Cleartext-Password := "password"
>
> Reply-Message = "Hello, %{User-Name}",
>
> Service-Type =
> Administrative-user, # and
> Shell-user, and login and a few other things !-(
>
> cisco-avpair = "shell:priv-lvl=15"
>
>
>
>the login failed with the first alternate and
>logged on as a plain user on the second.
>
>
>
>
>
>
>
>
>
>
>
>
>
>Snips from radiusd X output
>
>Sending Access-Accept of id 42 to 10.210.27.2 port 1645
>
> Reply-Message = "Hello, ipj"
>
> Service-Type = NAS-Prompt-User
>
> Cisco-AVPair = "shell:priv-lvl=15"
>
>
>
>Sending Access-Accept of id 43 to 10.210.27.2 port 1645
>
> Reply-Message = "Hello, dan"
>
> Service-Type = Administrative-User
>
> Cisco-AVPair = "shell:priv-lvl=15"
>
>
>
>
>
>
>
>
>
>
>
>Output from radtest
>
>[root at radius1 raddb]# radtest dan password radius1:1645 0 testing123
>
>Sending Access-Request of id 33 to 10.210.27.4 port 1645
>
> User-Name = "dan"
>
> User-Password = "password"
>
> NAS-IP-Address = 10.210.27.4
>
> NAS-Port = 0
>
>rad_recv: Access-Request packet from host
>10.210.27.4 port 32770, id=33, length=55
>
> User-Name = "dan"
>
> User-Password = "password"
>
> NAS-IP-Address = 10.210.27.4
>
> NAS-Port = 0
>
>+- entering group authorize {...}
>
>++[preprocess] returns ok
>
>++[chap] returns noop
>
>++[mschap] returns noop
>
>[suffix] No '@' in User-Name = "dan", looking up realm NULL
>
>[suffix] No such realm "NULL"
>
>++[suffix] returns noop
>
>[eap] No EAP-Message, not doing EAP
>
>++[eap] returns noop
>
>++[unix] returns notfound
>
>[files] users: Matched entry dan at line 11
>
>[files] expand: Hello, %{User-Name} -> Hello, dan
>
>++[files] returns ok
>
>++[expiration] returns noop
>
>++[logintime] returns noop
>
>++[pap] returns updated
>
>Found Auth-Type = PAP
>
>+- entering group PAP {...}
>
>[pap] login attempt with password "password"
>
>[pap] Using clear text password "password"
>
>[pap] User authenticated successfully
>
>++[pap] returns ok
>
>Login OK: [dan] (from client radius1 port 0)
>
>+- entering group post-auth {...}
>
>++[exec] returns noop
>
>Sending Access-Accept of id 33 to 10.210.27.4 port 32770
>
> Service-Type = Administrative-User
>
> Cisco-AVPair = "shell:priv-lvl=15"
>
> Reply-Message = "Hello, dan"
>
>Finished request 2.
>
>Going to the next request
>
>rad_recv: Access-Accept packet from host
>10.210.27.4 port 1645, id=33, length=63
>
>Waking up in 4.9 seconds.
>
> Service-Type = Administrative-User
>
> Cisco-AVPair = "shell:priv-lvl=15"
>
> Reply-Message = "Hello, dan"
>
>[root at radius1 raddb]# Cleaning up request 2 ID 33 with timestamp +62
>
>Ready to process requests.
>
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list