Configuration issue at radiusd.conf?
Honglak Kim
honglak_kim at yahoo.com
Fri May 14 23:04:35 CEST 2021
Hello Maki/Matthew,
I am trying to access Arista switches with the local database at the radius server.The outcome is simply I couldn't login the target Arista switch.
However I tested another Arista switch and it worked well.The two Arista switches have different image, 4.20.15M is not working while 4.19.6.3M is working well. ( I used the same username/password at "users" file and clients.conf has the correct network to cover the both switches )
I will check the switch side logs to see why the outcomes were different.
Thanks a lot,
Paul
On Friday, May 14, 2021, 11:12:46 AM PDT, marki <jm+freeradiususer at roth.lu> wrote:
Radius sends access-accept so it's ok.
Unless.... you care to explain what exactly you are doing, what the expected and actual outcomes are, what the error you are receiving is etc.
My crystal ball is low on battery.
On May 14, 2021 6:17:03 PM GMT+02:00, Honglak Kim via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
Hello all,
I am very new to FreeRadius and I am not sure why I can't access the network device.It seems something to do with radiusd.conf but I can't identify it.. Please help.
This is the debugging message when I ran the test.
(0) Received Access-Request Id 116 from 10.0.254.3:43509 to 10.192.2.141:1812 length 92
(0) User-Name = "hong"
(0) User-Password = "test123!"
(0) NAS-Port-Id = "ssh"
(0) Calling-Station-Id = "ops001.mydomain.com"
(0) Service-Type = NAS-Prompt-User
(0) NAS-Port = 0
(0) NAS-IP-Address = 10.0.254.3
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "hong", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry hong at line 94
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: Normalizing SHA-Password from hex encoding, 40 bytes -> 20 bytes
(0) [pap] = updated
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known-good" SHA-Password
(0) pap: User authenticated successfully
(0) [pap] = ok
(0) } # Auth-Type PAP = ok
(0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(0) post-auth {
(0) update reply {
(0) Juniper-Local-User-Name = "admin"
(0) Arista-AVPair = "shell:priv-lvl=15"
(0) Arista-AVPair = "shell:roles=network-admin"
(0) PaloAlto-Admin-Role = "superuser"
(0) PaloAlto-Panorama-Admin-Role = "superuser"
(0) PaloAlto-User-Group = "all"
(0) } # update reply = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = noop
(0) Sent Access-Accept Id 116 from 10.192.2.141:1812 to 10.0.254.3:43509 length 0
(0) Juniper-Local-User-Name = "admin"
(0) Arista-AVPair = "shell:priv-lvl=15"
(0) Arista-AVPair = "shell:roles=network-admin"
(0) PaloAlto-Admin-Role = "superuser"
(0) PaloAlto-Panorama-Admin-Role = "superuser"
(0) PaloAlto-User-Group = "all"
(0) Finished request
Waking up in 4.9 seconds.
Waking up in 6.9 seconds.
(0) Cleaning up request packet ID 116 with timestamp +9
Thanks,Paul
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list