Anyone have any ideas on this? I have Googled to no avail. Anyone else
using Juniper ERX dixtionary to auth. and set CLI access levels? Any
information would be appreciated.
Robert
On Thu, Jul 15, 2004 at 02:08:57PM -0500, Robert Banniza wrote:
> Guys,
> Per the original email (below), here is some more information (debug)
> output. The symptons are that the radius users are all logging into the
> Juniper with priv. level 10 (regardless of what the
> ERX-Cli-Initial-Access-Level is set to). Here is what I'm seeing when I
> run 'radiusd -X -A':
>
> rad_recv: Access-Request packet from host 64.202.129.18:40929, id=31,
> length=89
> User-Password = "t3stm3"
> User-Name = "homer"
> Acct-Session-Id = "erx :0012583078"
> Service-Type = Administrative-User
> NAS-IP-Address = 10.1.5.17
> NAS-Identifier = "wilma.vr1-atl"
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "eap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "homer", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 0
> users: Matched DEFAULT at 152
> users: Matched DEFAULT at 216
> modcall[authorize]: module "files" returns ok for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for homer
> radius_xlat: '(&(ObjectClass=posixAccount)(uid=homer))'
> radius_xlat: 'ou=people,dc=test,dc=net'
> ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to jag.test.net:389, authentication 0
> rlm_ldap: bind as / to jag.test.net:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: performing search in ou=people,dc=test,dc=net, with filter
> (&(ObjectClass=posixAccount)(uid=homer))
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: extracted attribute Juniper-Local-User-Name from generic item
> Juniper-Local-User-Name := tier3
> rlm_ldap: extracted attribute Cisco-AVPair from generic item
> Cisco-AVPair := "shell:priv-lvl=15"
> rlm_ldap: extracted attribute ERX-Cli-Initial-Access-Level from generic
> item ERX-Cli-Initial-Access-Level := "5"
> rlm_ldap: extracted attribute ERX-Alternate-Cli-Access-Level from
> generic item ERX-Alternate-Cli-Access-Level := "15"
> rlm_ldap: extracted attribute ERX-Cli-Allow-All-VR-Access from generic
> item ERX-CLI-Allow-All-VR-Access := 1
> rlm_ldap: user homer authorized to use remote access
> ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 0
> modcall: group authorize returns ok for request 0
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "homer" with password "t3stm3"
> rlm_ldap: user DN: uid=homer,ou=people,dc=test,dc=net
> rlm_ldap: (re)connect to jag.test.net:389, authentication 1
> rlm_ldap: bind as uid=homer,ou=people,dc=test,dc=net/t3stm3 to
> jag.test.net:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: user homer authenticated succesfully
> modcall[authenticate]: module "ldap" returns ok for request 0
> modcall: group Auth-Type returns ok for request 0
> Sending Access-Accept of id 31 to 64.202.129.18:40929
> Service-Type = Administrative-User
> Juniper-Local-User-Name := "tier3"
> Cisco-AVPair := "shell:priv-lvl=15"
> ERX-Cli-Initial-Access-Level := "5"
> ERX-Alternate-Cli-Access-Level := "15"
> ERX-Cli-Allow-All-VR-Access := enable
> Finished request 0
> Going to the next request
>
> The output from aaa debug mode off of the Juniper is as follows:
>
> INFO 07/15/2004 14:55:14 EDT security (): telnet connection 90 with
> 10.1.1.162 established
> INFO 07/15/2004 14:55:22 EDT security (): exec authorization succeeded:
> no method list: model new, method (none), user h
> omer, 10.1.1.162, vty3
> INFO 07/15/2004 14:55:22 EDT security (): vty 3, telnet login, model
> new, method radius, user homer, 10.1.1.162
>
> Is there something else I need to do?
>
> Thanks
>
> Robert
>
> On Wed, Jul 14, 2004 at 10:11:33AM -0500, Robert Banniza wrote:
> > Guys,
> > I'm currently setting up Juniper E-Series devices to authenticate
> > against FreeRadius using rlm_ldap (OpenLDAP). I currently have:
> >
> > radiusReplyItem: ERX-Cli-Initial-Access-Level := "5"
> > radiusReplyItem: ERX-Alternate-Cli-Access-Level := "15"
> > radiusReplyItem: ERX-Cli-Allow-All-VR-Access := 1
> >
> > in my schema to allow for access levels, etc. The entire schema is:
> >
> > dn: uid=homer, ou=people, dc=test, dc=net
> > objectclass: person
> > objectclass: radiusprofile
> > objectclass: uidObject
> > objectClass: inetOrgPerson
> > objectClass: posixAccount
> > objectClass: extensibleObject
> > cn: Homer Simpson
> > sn: Simpson
> > loginShell: /bin/bash
> > userpassword: {SSHA}GyUvGheeeWsR5Y/rofdfYtbDDdQAxbMP
> > uidnumber: 2001
> > gidnumber: 20
> > homeDirectory: /home/homer
> > uid: homer
> > shadowLastChange: 10877
> > shadowMin: 0
> > shadowMax: 999999
> > shadowWarning: 7
> > shadowInactive: -1
> > shadowExpire: -1
> > shadowFlag: 0
> > radiusAuthType: LDAP
> > radiusReplyItem: Juniper-Local-User-Name := tier1
> > radiusReplyItem: Cisco-AVPair := "shell:priv-lvl=15"
> > radiusReplyItem: ERX-Cli-Initial-Access-Level := "5"
> > radiusReplyItem: ERX-Alternate-Cli-Access-Level := "15"
> > radiusReplyItem: ERX-Cli-Allow-All-VR-Access := 1
> > radiusprofileDN: uid=homer, ou=people, dc=test, dc=net
> >
> > However, I noticed in the dictionary.erx the following:
> >
> > # As a note on ERX broken-ness, If you don't send a Framed-IP-Address
> > # in the Access-Accept packet, the ERX disconnects the user, and
> > # sends an Accounting-Request packet with Acct-Status-Type = Stop
> > #
> > # It does NOT send a 'Start' packet, so this behaviour confuses the
> > # heck out of most admins, who do everything right, but have the ERX
> > # do stupid things.
> > #
> > #
> >
> > Do I need to add anything else to my LDAP schema/config files in order
> > to get this to work? I'm not quite sure I understand what the caption
> > from the dictionary.erx file is telling me. Thanks for any help...
> >
> > Robert
> >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
