On Tue, Jul 20, 2004 at 11:00:18PM +1000, Paul Hampson wrote:
> On Tue, Jul 20, 2004 at 06:35:32AM -0500, Robert Banniza wrote:
> > This we have done. They mentioned that Unisphere-Init-CLI-Access-Level
> > should work as well as ERX-Cli-Initial-Access-Level or
> > Juniper-Initial-CLI-Access-Level. What I don't understand is how the
> > Juniper is able to parse the three (as they are different names) and
> > understand them. I do not have anything in ldap.attrmap that maps one to
> > the other.
>
> It doesn't. The RADIUS server (FreeRADIUS, here) turns the names into
> numbers using the dictionary files, and sends the numbered attributes
> to the NAS.
OK, that makes more sense. Here is what we are seeing in the logs when
trying to use ERX-Cli-Initial-Access-Level:
INFO 07/19/2004 20:52:47 EDT security (): telnet connection 124 with
10.1.5.10 established
DEBUG 07/19/2004 20:52:48 EDT aaaServerGeneral ():
doInitiateUserSession: enter - profileHandle 0x0
DEBUG 07/19/2004 20:52:48 EDT aaaServerGeneral ():
doInitiateUserSession: setting application's profileHandle 0xc000cf
DEBUG 07/19/2004 20:52:51 EDT aaaServerGeneral ():
doInitiateUserSession: enter - profileHandle 0xc000cf
NOTICE 07/19/2004 20:52:51 EDT aaaServerGeneral (): setAddrProfile:
requested to set addr profile when one exists
DEBUG 07/19/2004 20:52:54 EDT aaaServerGeneral ():
doInitiateUserSession: enter - profileHandle 0xc000cf
NOTICE 07/19/2004 20:52:54 EDT aaaServerGeneral (): setAddrProfile:
requested to set addr profile when one exists
DEBUG 07/19/2004 20:52:54 EDT radiusClient (): buildAuthRequest:
building User Auth Request
DEBUG 07/19/2004 20:52:54 EDT radiusClient (): unknown interface type
(default)
DEBUG 07/19/2004 20:52:54 EDT radiusClient (): sendPacket: RADIUS Access
Request packet sent (default)
DEBUG 07/19/2004 20:52:54 EDT radiusClient (): processGoodAuthResponse
enter:
DEBUG 07/19/2004 20:52:54 EDT radiusAttributes (): USER ATTRIBUTES:
(homer)
DEBUG 07/19/2004 20:52:54 EDT radiusAttributes (): service type
attr: 6
DEBUG 07/19/2004 20:52:54 EDT radiusAttributes (): admin all VR
access (vsa) attr: 1
DEBUG 07/19/2004 20:52:54 EDT radiusAttributes (): alternate admin
auth level (vsa) attr: 15
DEBUG 07/19/2004 20:52:54 EDT radiusClient (): dropping [0009]
attribute, un-supported data <shell:priv-lvl=15>
INFO 07/19/2004 20:52:54 EDT aaaUserAccess (): User: homer, access
granted
INFO 07/19/2004 20:52:54 EDT aaaUserAccess (): User: homer; terminating:
Unknown
INFO 07/19/2004 20:52:54 EDT security (): exec authorization succeeded:
no method list: model new, method (none), user hom
er, 10.1.5.10, vty3
INFO 07/19/2004 20:52:54 EDT security (): vty 3, telnet login, model
new, method radius, user homer, 10.1.5.10
INFO 07/19/2004 20:53:02 EDT security (): command authorization
succeeded: no method list: "enable 15" model new, method (
none), user homer, 10.1.5.10, vty3, level 10, virtual-router default
INFO 07/19/2004 20:53:07 EDT security (): command authorization
succeeded: no method list: "show users detail" model new,
method (none), user homer, 10.1.5.10, vty3, level 15, virtual-router
default
Here is the ldap schema:
dn: uid=homer, ou=people, dc=test, dc=net
objectclass: person
objectclass: radiusprofile
objectclass: uidObject
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: extensibleObject
cn: Homer Simpson
sn: Simpson
loginShell: /bin/bash
userpassword: {SSHA}vdyzFDGFDGsR5Y/rodfYWQgYvHaDxbMP
uidnumber: 2001
gidnumber: 20
homeDirectory: /home/homer
uid: homer
shadowLastChange: 10877
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
radiusAuthType: LDAP
radiusReplyItem: Juniper-Local-User-Name := tier3
radiusReplyItem: Cisco-AVPair := "shell:priv-lvl=15"
radiusReplyItem: ERX-Cli-Initial-Access-Level := "5"
radiusReplyItem: ERX-Alternate-Cli-Access-Level := "15"
radiusReplyItem: ERX-CLI-Allow-All-VR-Access := 1
radiusprofileDN: uid=homer, ou=people, dc=test, dc=net
>
> --
> Paul "TBBle" Hampson, on an alternate email client.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
