Hi,
I have had the "cisco-avpair" attribute inserted into
the radgroupreply table and I still cannot get the
users to login into privileged mode.
I tried this as well on another user from a users file
now and it's the same result. On the two occassions, I
can see from the debugging messages that radius is
passing the correct information back to the NAS such
as the av-pair set. But somehow the users are not
getting logged into the router in privileged mode.
The following is the relevant part of my radiusd -X
message...
----
Starting - reading configuration files
...reread_config: reading radiusd.confConfig:
including file:
/usr/local//etc/raddb/clients.confConfig: including
file: /usr/local//etc/raddb/snmp.confConfig:
including file: /usr/local//etc/raddb/sql.conf main:
prefix = "/usr/local/" main: localstatedir =
"/usr/local//var" main: logdir =
"/usr/local//var/log/radius" main: libdir =
"/usr/local//lib" main: radacctdir =
"/usr/local//var/log/radius/radacct" main:
hostname_lookups = noread_config_files: reading
dictionaryread_config_files: reading
clientsread_config_files: reading
realmsread_config_files: reading naslist main:
max_request_time = 30 main: cleanup_delay = 5 main:
max_requests = 1024 main: delete_blocked_requests = 0
main: port = 0 main: allow_core_dumps = no main:
log_stripped_names = no main: log_auth = no main:
log_auth_badpass = no main: log_auth_goodpass = no
main: pidfile =
"/usr/local//var/run/radiusd/radiusd.pid" main: user =
"mysql" main: group = "mysql" main: usercollide = no
main: lower_user = "no" main: lower_pass = "no" main:
nospace_user = "no" main: nospace_pass = "no" main:
proxy_requests = no security: max_attributes = 200
security: reject_delay = 1 main: debug_level =
0read_config_files: entering modules setupModule:
Library search path is /usr/local/libModule: Loaded
System unix: cache = yes unix: passwd = "/etc/passwd"
unix: shadow = "/etc/shadow" unix: group =
"/etc/group" unix: radwtmp =
"/usr/local//var/log/radius/radwtmp" unix: usegroup =
no unix: cache_reload = 600HASH: ...
...Starting connect to MySQL server for #0rlm_sql:
Connected new DB handle, #0rlm_sql: starting 1rlm_sql:
Attempting to connect #1rlm_sql: Starting connect to
MySQL server for #1rlm_sql: Connected new DB handle,
#1rlm_sql: starting 2rlm_sql: Attempting to connect
#2rlm_sql: Starting connect to MySQL server for
#2rlm_sql: Connected new DB handle, #2rlm_sql:
starting 3rlm_sql: Attempting to connect #3rlm_sql:
Starting connect to MySQL server for #3rlm_sql:
Connected new DB handle, #3rlm_sql: starting 4rlm_sql:
Attempting to connect #4rlm_sql: Starting connect to
MySQL server for #4rlm_sql: Connected new DB handle,
#4Module: Instantiated sql (sql) Module: Loaded files
files: usersfile = "/usr/local//etc/raddb/users"
files: acctusersfile =
"/usr/local//etc/raddb/acct_users" files: compat =
"no"Module: Instantiated files (files) Module: Loaded
detail detail: detailfile =
"/usr/local//var/log/radius/radacct/%{Client-IP-Address}/detail"
detail: ...
...Ready to process requests.rad_recv: Access-Request
packet from host 192.120.130.2:1645, id=65, length=76
NAS-IP-Address = 192.120.130.2 NAS-Port = 0
Cisco-NAS-Port = "tty0" NAS-Port-Type = Async
User-Name = "cocoon" User-Password =
"\3341+\340\250\351\240\276\017\021\265\206\307\340\010\243"modcall:
entering group authorize modcall[authorize]: module
"preprocess" returns ok rlm_realm: Looking up realm
NULL for User-Name = "cocoon" rlm_realm: No such
realm NULL modcall[authorize]: module "suffix"
returns noopradius_xlat: 'cocoon'sql_set_user:
escaped user --> 'cocoon'radius_xlat: ...
...Released sql socket id: 4 modcall[authorize]:
module "sql" returns ok modcall[authorize]: module
"files" returns notfoundmodcall: group authorize
returns okauth: type Localauth: user supplied
User-Password matches local User-PasswordSending
Access-Accept of id 65 to 192.120.130.2:1645
Cisco-AVPair = "shell:priv-lvl=15"Finished request 0.
Going to the next request...
----
Anyone know what is going on here? Do I need to set
radius-server host non-standard in the Cisco ?
Thanks alot,
Gbenga.
--- Alexey Chetroi <[EMAIL PROTECTED]> wrote:
> On Sun, Nov 10, 2002 at 11:33:44PM +0000, Gbenga
> wrote:
> > I have freeradius server running on Solaris 8,
> > authenticating off MySQL and all is working fine
> at
> > moment. But I want to implement Cisco AVPair
> > attributes on some of the users. Specifically the
> > users that belongs to the administrator group in
> my
> > user file.
> >
> > I read that I can implement Cisco AVPair and the
> users
> > will automatically be dropped into privileged mode
> > whenever they log into the router. The AV-Pair in
> > question is "cisco-avpair=shell-priv-lvl=15".
> >
> > My question is how do I add these to the
> user/group
> > profile in the user table(s). Some example of
> where
> > this will go in the sql table will be appreciated.
>
> Just add to radgroupreply table attribute
> Cisco-AVPair
> withe desired value, eg: ip:addr-pool=inet etc. and
> have
> the op field set to +=, so you may have more than
> one
> cisco VSA.
>
> --
>
> Best regards,
> Alexey Chetroi
>
> ---
> Smile... Tomorrow will be worse. (c) Murphy's law
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
