On Wed, Jul 21, 2004 at 12:14:59PM +1000, Paul Hampson wrote: > On Tue, Jul 20, 2004 at 08:35:59AM -0500, Robert Banniza wrote: > > On Tue, Jul 20, 2004 at 11:00:18PM +1000, Paul Hampson wrote: > > > On Tue, Jul 20, 2004 at 06:35:32AM -0500, Robert Banniza wrote: > > > > This we have done. They mentioned that Unisphere-Init-CLI-Access-Level > > > > should work as well as ERX-Cli-Initial-Access-Level or > > > > Juniper-Initial-CLI-Access-Level. What I don't understand is how the > > > > Juniper is able to parse the three (as they are different names) and > > > > understand them. I do not have anything in ldap.attrmap that maps one to > > > > the other. > > > > > > It doesn't. The RADIUS server (FreeRADIUS, here) turns the names into > > > numbers using the dictionary files, and sends the numbered attributes > > > to the NAS. > > > > OK, that makes more sense. Here is what we are seeing in the logs when > > trying to use ERX-Cli-Initial-Access-Level: > > > DEBUG 07/19/2004 20:52:54 EDT radiusAttributes (): USER ATTRIBUTES: > > (homer) > > DEBUG 07/19/2004 20:52:54 EDT radiusAttributes (): service type > > attr: 6 > > DEBUG 07/19/2004 20:52:54 EDT radiusAttributes (): admin all VR > > access (vsa) attr: 1 > > DEBUG 07/19/2004 20:52:54 EDT radiusAttributes (): alternate admin > > auth level (vsa) attr: 15 > > DEBUG 07/19/2004 20:52:54 EDT radiusClient (): dropping [0009] > > attribute, un-supported data <shell:priv-lvl=15> > > OK, it seems the initial admin level attribute's not getting through... > I'd suggest packet-sniffing the RADIUS packets, and (assuming your > sniffer can disassemble RADIUS packets) confirm that the packet on the > wire includes the VSA attribute Vendor 4874 (0x130a) Attribute 18 > (0x12). We can see that Vender 4874 Attribute 20 > (ERX-Alternate-Cli-Access-Level) is getting through fine.
I think we have found the issue (I sent an email in earlier about this). It looks like setting Service-Type = Administrative-User is causing us to bypass the Initial-CLI-Access attrbiute. When I take the Service-Type = Administrative-User, everything works as suggested on the Juniper. However, having Service-Type = Administrative-User commented out breaks the Cisco AVPair stuff I need in order to gain Shell Level Access. > > > INFO 07/19/2004 20:52:54 EDT aaaUserAccess (): User: homer, access > > granted > [trim] > > Here is the ldap schema: > [trim] > > radiusReplyItem: Juniper-Local-User-Name := tier3 > > radiusReplyItem: Cisco-AVPair := "shell:priv-lvl=15" > > radiusReplyItem: ERX-Cli-Initial-Access-Level := "5" > > radiusReplyItem: ERX-Alternate-Cli-Access-Level := "15" > > radiusReplyItem: ERX-CLI-Allow-All-VR-Access := 1 > > radiusprofileDN: uid=homer, ou=people, dc=test, dc=net > -- > Paul "TBBle" Hampson, on an alternate email client. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
