Privileges cisco-avpair = "shell:priv-lvl=10" doesn't work

Øystein Gyland oystegy at usit.uio.no
Fri Oct 12 10:18:36 CEST 2012


On Fri, 2012-10-12 at 09:13 +0200, Ruben Blendeman wrote:
> Hi,
> 
> I want assign different privileges to users, these are my users: 
> 
> admin     Cleartext-Password := "admin"
>         cisco-avpair = "shell:priv-lvl=15"
>         
>         
>         
> user1        Cleartext-Password := "user1" 
>         cisco-avpair = "shell:priv-lvl=10"
>         
>         
> 
> user2        Cleartext-Password := "user2" 
>         cisco-avpair = "shell:priv-lvl=11"
> 
> 
> But if I configure a privilege on my cisco switch on level 10, all my
> users have the same rights. 
> If I debug on my switch, my user1 is not in priv lvl 10.. 
> Any idea how to fix it? 

Have you seen the Wiki? 
http://wiki.freeradius.org/vendor/Cisco#Shell-Access

You're not sending a "Service-Type" attribute to the switch, according
to Cisco[0], it's required to send the "shell:priv-lvl=" attribute with
a corresponding "Service-Type" attribute. (It might work on later
versions of IOS without the latter attribute though).

[0]
http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a0080178a51.shtml




-- 
Øystein Gyland




More information about the Freeradius-Users mailing list