FW: Free Radius & Cisco

freeradius at corwyn.net freeradius at corwyn.net
Thu Dec 3 02:47:04 CET 2009 

DEFAULT Huntgroup-Name == Cisco_Huntgroup, 
Auth-Type:=ntlm_auth, Ldap-Group == "HelpDesk"
         Service-Type:=NAS-Prompt-User,
         cisco-avpair:="shell:priv-lvl=1",
         Reply-Message := "Authorized Users Only"


is what I'm using. Change priv-lvl to 15 for enable

Rick

At 07:03 PM 12/2/2009, Johnston, Ian wrote:
>Content-Class: urn:content-classes:message
>Content-Type: multipart/alternative;
>         boundary="----_=_NextPart_001_01CA73AC.1AC44E3C"
>
>Hi,
>
>Thanks for Free Radius – I’m confident it will be just what we need.
>
>I have set it up on a Dell DL360 G5 running 
>CentOS 2.3 and created simple clients.conf, 
>raddb.conf and users files. Radtest and logins 
>from a couple of clients are working well. 
>However, when I try to move up from the absolute 
>basics, e.g. to give my user who telnets to a 
>Cisco switch an enabled priveledge leval it just 
>doesn’t work: the user logons OK but is still at 
>the plain command prompt. I’m sure it’s 
>something simple I’ve missed and I’d be grateful 
>if you could give me any pointers.
>
>I’ve looked through the mailing-list archive, 
>and although one question is exactly the same 
>Freeradius and Cisco (cisco-avpair = 
>"shell:priv-lvl=15" doesn't work) I seem to have 
>everything they have suggested in the answers?
>
>Thanks in advance for your help.
>
>
>
>Regards,
>
>Ian
>
>
>
>Here are some cuts from various files:
>
>Switch Config
>
>aaa authentication login nocusers group radius
>
>aaa authorization exec nocusers group radius
>
>aaa session-id common
>
>radius-server host 10.210.27.4 auth-port 1645 acct-port 1646
>
>radius-server source-ports 1645-1646
>
>line vty 0 4
>
>    exec-timeout 60 0
>
>    login authentication nocusers
>
>
>
>
>
>
>
>
>
>users
>
>dan     Cleartext-Password := "password"
>
>         Reply-Message = "Hello, %{User-Name}",
>
>         Service-Type = Administrative-user,
>
>         cisco-avpair = "shell:priv-lvl=15"
>
>
>
>ipj     Cleartext-Password := "password"
>
>         Reply-Message = "Hello, %{User-Name}",
>
>         Service-Type = NAS-Prompt-User,
>
>         cisco-avpair = "shell:priv-lvl=15"
>
>
>
>I also tried:
>
>dan     Cleartext-Password := "password", 
>Service-Type = Administrative-user, cisco-avpair = "shell:priv-lvl=15"
>
>         Reply-Message = "Hello, %{User-Name}",
>
>         Service-Type = Administrative-user,
>
>
>
>and
>
>dan     Cleartext-Password := "password"
>
>         Reply-Message = "Hello, %{User-Name}",
>
>         Service-Type = 
> “Administrative-user”,                  # and 
> Shell-user, and login and a few other things !-(
>
>         cisco-avpair = "shell:priv-lvl=15"
>
>
>
>the login failed with the first alternate and 
>logged on as a plain user on the second.
>
>
>
>
>
>
>
>
>
>
>
>
>
>Snips from radiusd –X output
>
>Sending Access-Accept of id 42 to 10.210.27.2 port 1645
>
>         Reply-Message = "Hello, ipj"
>
>         Service-Type = NAS-Prompt-User
>
>         Cisco-AVPair = "shell:priv-lvl=15"
>
>
>
>Sending Access-Accept of id 43 to 10.210.27.2 port 1645
>
>         Reply-Message = "Hello, dan"
>
>         Service-Type = Administrative-User
>
>         Cisco-AVPair = "shell:priv-lvl=15"
>
>
>
>
>
>
>
>
>
>
>
>Output from radtest
>
>[root at radius1 raddb]# radtest dan password radius1:1645 0 testing123
>
>Sending Access-Request of id 33 to 10.210.27.4 port 1645
>
>         User-Name = "dan"
>
>         User-Password = "password"
>
>         NAS-IP-Address = 10.210.27.4
>
>         NAS-Port = 0
>
>rad_recv: Access-Request packet from host 
>10.210.27.4 port 32770, id=33, length=55
>
>         User-Name = "dan"
>
>         User-Password = "password"
>
>         NAS-IP-Address = 10.210.27.4
>
>         NAS-Port = 0
>
>+- entering group authorize {...}
>
>++[preprocess] returns ok
>
>++[chap] returns noop
>
>++[mschap] returns noop
>
>[suffix] No '@' in User-Name = "dan", looking up realm NULL
>
>[suffix] No such realm "NULL"
>
>++[suffix] returns noop
>
>[eap] No EAP-Message, not doing EAP
>
>++[eap] returns noop
>
>++[unix] returns notfound
>
>[files] users: Matched entry dan at line 11
>
>[files]         expand: Hello, %{User-Name} -> Hello, dan
>
>++[files] returns ok
>
>++[expiration] returns noop
>
>++[logintime] returns noop
>
>++[pap] returns updated
>
>Found Auth-Type = PAP
>
>+- entering group PAP {...}
>
>[pap] login attempt with password "password"
>
>[pap] Using clear text password "password"
>
>[pap] User authenticated successfully
>
>++[pap] returns ok
>
>Login OK: [dan] (from client radius1 port 0)
>
>+- entering group post-auth {...}
>
>++[exec] returns noop
>
>Sending Access-Accept of id 33 to 10.210.27.4 port 32770
>
>         Service-Type = Administrative-User
>
>         Cisco-AVPair = "shell:priv-lvl=15"
>
>         Reply-Message = "Hello, dan"
>
>Finished request 2.
>
>Going to the next request
>
>rad_recv: Access-Accept packet from host 
>10.210.27.4 port 1645, id=33, length=63
>
>Waking up in 4.9 seconds.
>
>         Service-Type = Administrative-User
>
>         Cisco-AVPair = "shell:priv-lvl=15"
>
>         Reply-Message = "Hello, dan"
>
>[root at radius1 raddb]# Cleaning up request 2 ID 33 with timestamp +62
>
>Ready to process requests.
>
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list