Cisco user login in enable mode

Fri, 25 Jul 2003 06:35:32 -0700 


Hi,


I want that an user defined in users file can authenticate himself
directly in enable mode with a switch cisco.
I have read the mail archive and I found this :

                >You can use a feature that specific user get enable
privilege by default
                >and doesn't have to type enable:
                >
                >jura    Auth-Type = System
                >        Service-Type = Login-User,
                >        Cisco-AVPair = "shell:priv-lvl=15"
                >
                >Also you need to have authorization line:
                >aaa authorization login default group radius
                >
                >This works on the catalyst switch as well.

I do the same thing :
        
        -> USERS FILE :
                toto      Auth-Type:=CISCO-ACCESS
                        Service-Type = Login-User,
                  Cisco-AVPair = "shell:priv-lvl=15"

        -> CISCO CONF :
                aaa new-model
                aaa authentication login stage group radius local
                aaa authorization exec stage group radius
if-authenticated

                radius-server host XXX.XXX.XXX.XXX auth-port 1812
acct-port 1813 timeout 3                                retransmit 6 key
XXXXXXX
                radius-server vsa send authentication

                line vty 0 4
                 password XXXXXX
                 login authentication stage




But it don't work, here's the log :




        -> RADIUS LOG :

rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX:1645, id=45,
length=108
        NAS-IP-Address = XXX.XXX.XXX.XXX
        NAS-Port = 2
        Cisco-NAS-Port = "tty2"
        NAS-Port-Type = Virtual
        User-Name = "toto"
        Calling-Station-Id = "XXX.XXX.XXX.XXX"
        User-Password = "XXXXXX"
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
  modcall[authorize]: module "chap" returns noop
  modcall[authorize]: module "mschap" returns notfound
    rlm_realm: Looking up realm e-qual.fr for User-Name = "toto"
    rlm_realm: No such realm e-qual.fr
  modcall[authorize]: module "suffix" returns noop
    users: Matched DEFAULT at 152
    users: Matched toto at 218
  modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
  rad_check_password:  Found Auth-Type CISCO-ACCESS
auth: type "CISCO-ACCESS"
modcall: entering group authtype
rlm_ldap: - authenticate
rlm_ldap: login attempt by "toto" with password "XXXXXX"
radius_xlat:  '(&(rights=*USERS-Manager*)(uid=toto))'
radius_xlat:  'ou=Users,dc=e-qual,dc=fr'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,dc=e-qual,dc=fr, with filter
(&(rights=*USERS-Manager*)(uid=toto))
ldap_release_conn: Release Id: 0
rlm_ldap: user DN: uid=toto,ou=e-Qual,ou=Users,dc=e-Qual,dc=fr
rlm_ldap: (re)connect to XXX.XXX.XXX.XXX:389, authentication 1
rlm_ldap: bind as uid=toto,ou=e-Qual,ou=Users,dc=e-Qual,dc=fr/poiuyt to
192.168.1.53:389
rlm_ldap: waiting for bind result ...
rlm_ldap: user toto authenticated succesfully
  modcall[authenticate]: module "ldap-cisco" returns ok
modcall: group authtype returns ok
Login OK: [toto/XXXXXX] (from client testing port 2 cli XXX.XXX.XXX.XXX)
Sending Access-Accept of id 45 to XXX.XXX.XXX.XXX:1645
        Service-Type = Login-User
        Cisco-AVPair = "shell:priv-lvl=15"
Finished request 258
Going to the next request
--- Walking the entire request list ---

*********************************

        -> CISCO LOG :

1d04h: AAA: parse name=tty2 idb type=-1 tty=-1
1d04h: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2
channel=0
1d04h: AAA/MEMORY: create_user (0x6C4C38) user='' ruser='' port='tty2'
rem_addr='192.168.2.73' authen_type=ASCII service=LOGIN priv=1
1d04h: AAA/AUTHEN/START (2920771300): port='tty2' list='stage'
action=LOGIN service=LOGIN
1d04h: AAA/AUTHEN/START (2920771300): found list stage
1d04h: AAA/AUTHEN/START (2920771300): Method=radius (radius)
1d04h: AAA/AUTHEN (2920771300): status = GETUSER
1d04h: AAA/AUTHEN/CONT (2920771300): continue_login (user='(undef)')
1d04h: AAA/AUTHEN (2920771300): status = GETUSER
1d04h: AAA/AUTHEN (2920771300): Method=radius (radius)
1d04h: AAA/AUTHEN (2920771300): status = GETPASS
1d04h: AAA/AUTHEN/CONT (2920771300): continue_login (user='toto')
1d04h: AAA/AUTHEN (2920771300): status = GETPASS
1d04h: AAA/AUTHEN (2920771300): Method=radius (radius)
1d04h: RADIUS: ustruct sharecount=1
1d04h: RADIUS: added cisco VSA 2 len 4 "tty2"
1d04h: RADIUS: Initial Transmit tty2 id 45 XXX.XXX.XXX.XXX:1812,
Access-Request, len 108
1d04h:         Attribute 4 6 C0A802EB
1d04h:         Attribute 5 6 00000002
1d04h:         Attribute 26 12 0000000902067474
1d04h:         Attribute 61 6 00000005
1d04h:         Attribute 1 26 6A65726F
1d04h:         Attribute 31 14 3139322E
1d04h:         Attribute 2 18 7A5D1E3E
1d04h: RADIUS: Received from id 45 XXX.XXX.XXX.XXX:1812, Access-Accept,
len 51
1d04h:         Attribute 6 6 00000001
1d04h:         Attribute 26 25 0000000901137368
1d04h: RADIUS: saved authorization data for user 6C4C38 at 648EE4
1d04h: AAA/AUTHEN (2920771300): status = PASS



Have you an idea to explain why it don't work ??

Philippe


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to