petr.linke at seznam.cz
petr.linke at seznam.cz
Thu Apr 19 12:36:52 CEST 2018
Hi Mohiddin,
you need put into response some other attributes, Accest-Accept response is
not enough.
At least you need send in the response:
Service-Type := NAS-Prompt-User
and I don't know, if Cisco ASA has priviledge levels as normal Cisco
switches, if yes, the second line in the response should be for example:
cisco-avpair := "shell:priv-lvl=5"
Regards, Petr
---------- Original e-mail ----------
From: Mohiddin Shaik <kms31786 at gmail.com>
Komu: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Date: 19. 4. 2018 10:12:40
Subject: Re:
"Hey Hi Alan,
Thanks for your quick response.
We are trying to logon through console (ssh) on Cisco ASA (Firewall)
On server only one interface is configured, and on firewall we are using
INSIDE interface only.
Where as we are able to login with "admin" user account, but not any other
user account (cisco/user) even this accounts has same privileges of admin
user.
We checked on cisco ASA level everything seems fine, even we involved Cisco
TAC team as well they are also there is nothing from ASA end to check.
Is there any way i can dig why its allowing admin user not other users ?
Thanks,
Mohiddin
On Thu, Apr 19, 2018 at 4:15 AM, Alan Buxey <alan.buxey at gmail.com> wrote:
> when you say 'log into firewall' - on the console, on the web
> interface? you'll need to check the NAS docs for what other things
> need to
> be sent back form the RADIUS server along with the accept message -
> usually a load of VSAs to let the device know what profile/access
> level etc etc
>
> does the server have multiple interfaces too? might be that the reply
> packet is being sent out a different way and not even getting back to
> the firewall. normally cisco has some low level diagnostic commands
> you can use to check AAA behaviour and results.
>
> alan
>
> On 18 April 2018 at 18:50, Mohiddin Shaik <kms31786 at gmail.com> wrote:
> > Hey Hi,
> >
> > I have installed freeradius server and integrated freeipa server, when i
> > run radtest its authenticate perfectly, i configured client.conf to auth
> my
> > cisco firewall whenever i tried to login using freeipa user on my cisco
> > firewall, radiusd -X debug mode say auth success but i am un able to
> login
> > into terminal ((9) Sent Access-Accept Id 75 from x.x.x.x:1812 to
> > x.x.x.x:22029 length 0 (9) Finished request).
> >
> > When i use freeipa admin user id i am able to login into cisco firewall
> to
> > same freeradius server / same configuration.
> >
> > Debug Output:
> > Ready to process requests
> > (8) Received Access-Request Id 74 from 10.0.5.5:22029 to 10.0.0.94:1812
> > length 128
> > (8) User-Name = "mohiddin"
> > (8) User-Password = "pass at 123"
> > (8) NAS-IP-Address = 10.0.5.5
> > (8) NAS-Port = 74
> > (8) NAS-Port-Type = Virtual
> > (8) Cisco-AVPair = "ip:source-ip=10.0.2.49"
> > (8) Calling-Station-Id = "10.0.2.49"
> > (8) Cisco-AVPair = "coa-push=true"
> > (8) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> > (8) authorize {
> > (8) policy filter_username {
> > (8) if (&User-Name) {
> > (8) if (&User-Name) -> TRUE
> > (8) if (&User-Name) {
> > (8) if (&User-Name =~ / /) {
> > (8) if (&User-Name =~ / /) -> FALSE
> > (8) if (&User-Name =~ /@[^@]*@/ ) {
> > (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> > (8) if (&User-Name =~ /\.\./ ) {
> > (8) if (&User-Name =~ /\.\./ ) -> FALSE
> > (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> > (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> ->
> > FALSE
> > (8) if (&User-Name =~ /\.$/) {
> > (8) if (&User-Name =~ /\.$/) -> FALSE
> > (8) if (&User-Name =~ /@\./) {
> > (8) if (&User-Name =~ /@\./) -> FALSE
> > (8) } # if (&User-Name) = notfound
> > (8) } # policy filter_username = notfound
> > (8) [preprocess] = ok
> > (8) [chap] = noop
> > (8) [mschap] = noop
> > (8) [digest] = noop
> > (8) suffix: Checking for suffix after "@"
> > (8) suffix: No '@' in User-Name = "mohiddin", looking up realm NULL
> > (8) suffix: No such realm "NULL"
> > (8) [suffix] = noop
> > (8) eap: No EAP-Message, not doing EAP
> > (8) [eap] = noop
> > (8) [files] = noop
> > rlm_ldap (ldap): Closing connection (9): Hit idle_timeout, was idle for
> 133
> > seconds
> > rlm_ldap (ldap): Closing connection (11): Hit idle_timeout, was idle for
> > 133 seconds
> > rlm_ldap (ldap): Closing connection (8): Hit idle_timeout, was idle for
> 120
> > seconds
> > rlm_ldap (ldap): Closing connection (12): Hit idle_timeout, was idle for
> > 120 seconds
> > rlm_ldap (ldap): You probably need to lower "min"
> > rlm_ldap (ldap): Closing connection (10): Hit idle_timeout, was idle for
> > 113 seconds
> > rlm_ldap (ldap): You probably need to lower "min"
> > rlm_ldap (ldap): Closing connection (13): Hit idle_timeout, was idle for
> > 113 seconds
> > rlm_ldap (ldap): You probably need to lower "min"
> > rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase
> > "spare"
> > rlm_ldap (ldap): Opening additional connection (14), 1 of 32 pending
> slots
> > used
> > rlm_ldap (ldap): Connecting to ldap://ipa01.test.org:389
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Reserved connection (14)
> > (8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> > (8) ldap: --> (uid=mohiddin)
> > (8) ldap: Performing search in "cn=users,cn=accounts,dc=test,dc=org"
> with
> > filter "(uid=mohiddin)", scope "sub"
> > (8) ldap: Waiting for search result...
> > (8) ldap: User object found at DN
> > "uid=mohiddin,cn=users,cn=accounts,dc=test,dc=org"
> > (8) ldap: Processing user attributes
> > (8) ldap: control:Password-With-Header +=
> > '{SSHA512}FBhJiiB8Uene3Nl6MkFBufEQNVBJsU9GrXy3wXtaaY0mUkjQ5CVAiWdWHHfE
> f5bZpYWYECf/mvwOojrM/L4dVJLuUJyt+N6Q'
> > rlm_ldap (ldap): Released connection (14)
> > Need 2 more connections to reach min connections (3)
> > rlm_ldap (ldap): Opening additional connection (15), 1 of 31 pending
> slots
> > used
> > rlm_ldap (ldap): Connecting to ldap://ipa01.test.org:389
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Bind successful
> > (8) [ldap] = updated
> > (8) [expiration] = noop
> > (8) [logintime] = noop
> > (8) pap: Converted: &control:Password-With-Header ->
> > &control:SSHA2-512-Password
> > (8) pap: Removing &control:Password-With-Header
> > (8) pap: Normalizing SSHA2-512-Password from base64 encoding, 96 bytes -
>
> > 72 bytes
> > (8) [pap] = updated
> > (8) } # authorize = updated
> > (8) Found Auth-Type = PAP
> > (8) # Executing group from file /etc/raddb/sites-enabled/default
> > (8) Auth-Type PAP {
> > (8) pap: Login attempt with password
> > (8) pap: Comparing with "known-good" SSHA2-512-Password
> > (8) pap: User authenticated successfully
> > (8) [pap] = ok
> > (8) } # Auth-Type PAP = ok
> > (8) # Executing section post-auth from file /etc/raddb/sites-enabled/
> default
> > (8) post-auth {
> > (8) update {
> > (8) No attributes updated
> > (8) } # update = noop
> > (8) [exec] = noop
> > (8) policy remove_reply_message_if_eap {
> > (8) if (&reply:EAP-Message && &reply:Reply-Message) {
> > (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> > (8) else {
> > (8) [noop] = noop
> > (8) } # else = noop
> > (8) } # policy remove_reply_message_if_eap = noop
> > (8) } # post-auth = noop
> > (8) Sent Access-Accept Id 74 from 10.0.0.94:1812 to 10.0.5.5:22029
> length 0
> > (8) Finished request
> > Waking up in 4.9 seconds.
> > (8) Cleaning up request packet ID 74 with timestamp +504
> > Ready to process requests
> > (9) Received Access-Request Id 75 from 10.0.5.5:22029 to 10.0.0.94:1812
> > length 84
> > (9) User-Name = "admin"
> > (9) User-Password = "reflexis1"
> > (9) NAS-IP-Address = 10.0.5.5
> > (9) NAS-Port = 75
> > (9) NAS-Port-Type = Virtual
> > (9) Cisco-AVPair = "coa-push=true"
> > (9) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> > (9) authorize {
> > (9) policy filter_username {
> > (9) if (&User-Name) {
> > (9) if (&User-Name) -> TRUE
> > (9) if (&User-Name) {
> > (9) if (&User-Name =~ / /) {
> > (9) if (&User-Name =~ / /) -> FALSE
> > (9) if (&User-Name =~ /@[^@]*@/ ) {
> > (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> > (9) if (&User-Name =~ /\.\./ ) {
> > (9) if (&User-Name =~ /\.\./ ) -> FALSE
> > (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> > (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> ->
> > FALSE
> > (9) if (&User-Name =~ /\.$/) {
> > (9) if (&User-Name =~ /\.$/) -> FALSE
> > (9) if (&User-Name =~ /@\./) {
> > (9) if (&User-Name =~ /@\./) -> FALSE
> > (9) } # if (&User-Name) = notfound
> > (9) } # policy filter_username = notfound
> > (9) [preprocess] = ok
> > (9) [chap] = noop
> > (9) [mschap] = noop
> > (9) [digest] = noop
> > (9) suffix: Checking for suffix after "@"
> > (9) suffix: No '@' in User-Name = "admin", looking up realm NULL
> > (9) suffix: No such realm "NULL"
> > (9) [suffix] = noop
> > (9) eap: No EAP-Message, not doing EAP
> > (9) [eap] = noop
> > (9) [files] = noop
> > rlm_ldap (ldap): Closing connection (14): Hit idle_timeout, was idle for
> > 160 seconds
> > rlm_ldap (ldap): You probably need to lower "min"
> > rlm_ldap (ldap): Closing connection (15): Hit idle_timeout, was idle for
> > 160 seconds
> > rlm_ldap (ldap): You probably need to lower "min"
> > rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase
> > "spare"
> > rlm_ldap (ldap): Opening additional connection (16), 1 of 32 pending
> slots
> > used
> > rlm_ldap (ldap): Connecting to ldap://ipa01.test.org:389
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Bind successful
> > rlm_ldap (ldap): Reserved connection (16)
> > (9) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> > (9) ldap: --> (uid=admin)
> > (9) ldap: Performing search in "cn=users,cn=accounts,dc=test,dc=org"
> with
> > filter "(uid=admin)", scope "sub"
> > (9) ldap: Waiting for search result...
> > (9) ldap: User object found at DN
> > "uid=admin,cn=users,cn=accounts,dc=test,dc=org"
> > (9) ldap: Processing user attributes
> > (9) ldap: control:Password-With-Header +=
> > '{SSHA512}rtaic2+6VABUusn0KrluEZLtSkvcTxH7SVTmJ
> YwYtlgWqp2f2oMYIQ0AuUTrfNEutEVbn794QFmkwinsfMFihn68yrWO+Po3'
> > rlm_ldap (ldap): Released connection (16)
> > Need 2 more connections to reach min connections (3)
> > rlm_ldap (ldap): Opening additional connection (17), 1 of 31 pending
> slots
> > used
> > rlm_ldap (ldap): Connecting to ldap://ipa01.test.org:389
> > rlm_ldap (ldap): Waiting for bind result...
> > rlm_ldap (ldap): Bind successful
> > (9) [ldap] = updated
> > (9) [expiration] = noop
> > (9) [logintime] = noop
> > (9) pap: Converted: &control:Password-With-Header ->
> > &control:SSHA2-512-Password
> > (9) pap: Removing &control:Password-With-Header
> > (9) pap: Normalizing SSHA2-512-Password from base64 encoding, 96 bytes -
>
> > 72 bytes
> > (9) [pap] = updated
> > (9) } # authorize = updated
> > (9) Found Auth-Type = PAP
> > (9) # Executing group from file /etc/raddb/sites-enabled/default
> > (9) Auth-Type PAP {
> > (9) pap: Login attempt with password
> > (9) pap: Comparing with "known-good" SSHA2-512-Password
> > (9) pap: User authenticated successfully
> > (9) [pap] = ok
> > (9) } # Auth-Type PAP = ok
> > (9) # Executing section post-auth from file /etc/raddb/sites-enabled/
> default
> > (9) post-auth {
> > (9) update {
> > (9) No attributes updated
> > (9) } # update = noop
> > (9) [exec] = noop
> > (9) policy remove_reply_message_if_eap {
> > (9) if (&reply:EAP-Message && &reply:Reply-Message) {
> > (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> > (9) else {
> > (9) [noop] = noop
> > (9) } # else = noop
> > (9) } # policy remove_reply_message_if_eap = noop
> > (9) } # post-auth = noop
> > (9) Sent Access-Accept Id 75 from 10.0.0.94:1812 to 10.0.5.5:22029
> length 0
> > (9) Finished request
> > Waking up in 4.9 seconds.
> > (9) Cleaning up request packet ID 75 with timestamp +664
> > Ready to process requests
> >
> >
> > Thanks,
> > Mohiddin.
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.
html"
More information about the Freeradius-Users
mailing list