Hi,
I want that an user defined in users file can authenticate himself directly in enable mode with a switch cisco. I have read the mail archive and I found this : >You can use a feature that specific user get enable privilege by default >and doesn't have to type enable: > >jura Auth-Type = System > Service-Type = Login-User, > Cisco-AVPair = "shell:priv-lvl=15" > >Also you need to have authorization line: >aaa authorization login default group radius > >This works on the catalyst switch as well. I do the same thing : -> USERS FILE : toto Auth-Type:=CISCO-ACCESS Service-Type = Login-User, Cisco-AVPair = "shell:priv-lvl=15" -> CISCO CONF : aaa new-model aaa authentication login stage group radius local aaa authorization exec stage group radius if-authenticated radius-server host XXX.XXX.XXX.XXX auth-port 1812 acct-port 1813 timeout 3 retransmit 6 key XXXXXXX radius-server vsa send authentication line vty 0 4 password XXXXXX login authentication stage But it don't work, here's the log : -> RADIUS LOG : rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX:1645, id=45, length=108 NAS-IP-Address = XXX.XXX.XXX.XXX NAS-Port = 2 Cisco-NAS-Port = "tty2" NAS-Port-Type = Virtual User-Name = "toto" Calling-Station-Id = "XXX.XXX.XXX.XXX" User-Password = "XXXXXX" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop modcall[authorize]: module "mschap" returns notfound rlm_realm: Looking up realm e-qual.fr for User-Name = "toto" rlm_realm: No such realm e-qual.fr modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 152 users: Matched toto at 218 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type CISCO-ACCESS auth: type "CISCO-ACCESS" modcall: entering group authtype rlm_ldap: - authenticate rlm_ldap: login attempt by "toto" with password "XXXXXX" radius_xlat: '(&(rights=*USERS-Manager*)(uid=toto))' radius_xlat: 'ou=Users,dc=e-qual,dc=fr' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,dc=e-qual,dc=fr, with filter (&(rights=*USERS-Manager*)(uid=toto)) ldap_release_conn: Release Id: 0 rlm_ldap: user DN: uid=toto,ou=e-Qual,ou=Users,dc=e-Qual,dc=fr rlm_ldap: (re)connect to XXX.XXX.XXX.XXX:389, authentication 1 rlm_ldap: bind as uid=toto,ou=e-Qual,ou=Users,dc=e-Qual,dc=fr/poiuyt to 192.168.1.53:389 rlm_ldap: waiting for bind result ... rlm_ldap: user toto authenticated succesfully modcall[authenticate]: module "ldap-cisco" returns ok modcall: group authtype returns ok Login OK: [toto/XXXXXX] (from client testing port 2 cli XXX.XXX.XXX.XXX) Sending Access-Accept of id 45 to XXX.XXX.XXX.XXX:1645 Service-Type = Login-User Cisco-AVPair = "shell:priv-lvl=15" Finished request 258 Going to the next request --- Walking the entire request list --- ********************************* -> CISCO LOG : 1d04h: AAA: parse name=tty2 idb type=-1 tty=-1 1d04h: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0 1d04h: AAA/MEMORY: create_user (0x6C4C38) user='' ruser='' port='tty2' rem_addr='192.168.2.73' authen_type=ASCII service=LOGIN priv=1 1d04h: AAA/AUTHEN/START (2920771300): port='tty2' list='stage' action=LOGIN service=LOGIN 1d04h: AAA/AUTHEN/START (2920771300): found list stage 1d04h: AAA/AUTHEN/START (2920771300): Method=radius (radius) 1d04h: AAA/AUTHEN (2920771300): status = GETUSER 1d04h: AAA/AUTHEN/CONT (2920771300): continue_login (user='(undef)') 1d04h: AAA/AUTHEN (2920771300): status = GETUSER 1d04h: AAA/AUTHEN (2920771300): Method=radius (radius) 1d04h: AAA/AUTHEN (2920771300): status = GETPASS 1d04h: AAA/AUTHEN/CONT (2920771300): continue_login (user='toto') 1d04h: AAA/AUTHEN (2920771300): status = GETPASS 1d04h: AAA/AUTHEN (2920771300): Method=radius (radius) 1d04h: RADIUS: ustruct sharecount=1 1d04h: RADIUS: added cisco VSA 2 len 4 "tty2" 1d04h: RADIUS: Initial Transmit tty2 id 45 XXX.XXX.XXX.XXX:1812, Access-Request, len 108 1d04h: Attribute 4 6 C0A802EB 1d04h: Attribute 5 6 00000002 1d04h: Attribute 26 12 0000000902067474 1d04h: Attribute 61 6 00000005 1d04h: Attribute 1 26 6A65726F 1d04h: Attribute 31 14 3139322E 1d04h: Attribute 2 18 7A5D1E3E 1d04h: RADIUS: Received from id 45 XXX.XXX.XXX.XXX:1812, Access-Accept, len 51 1d04h: Attribute 6 6 00000001 1d04h: Attribute 26 25 0000000901137368 1d04h: RADIUS: saved authorization data for user 6C4C38 at 648EE4 1d04h: AAA/AUTHEN (2920771300): status = PASS Have you an idea to explain why it don't work ?? Philippe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html