Hi all,
Thanks for the reply.
i was just missing " ".
Well another problem here.. i have defined a priv level 7 in the switch.
ran the following commands.
privilege configure level 7 snmp-server host
privilege configure level 7 snmp-server enable
privilege configure level 7 snmp-server
privilege exec level 7 ping
!
But still the user is able to run all the commands.
here is my user file conf
user Auth-Type :=Local, User-Password == "user"
Service-Type = NAS-Prompt-User,
Login-Service = ssh,
Cisco-avpair = "Shell:priv-lvl=7"
On 7/19/07, [EMAIL PROTECTED] <
[EMAIL PROTECTED]> wrote:
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Problem in EAP-TLS Authentication (Govardhana K N)
2. Re: Quirky question about rewriting usernames (Pshem Kowalczyk)
3. Support for Cisco (ashish verma)
4. Re: Support for Cisco ([EMAIL PROTECTED])
5. Re: Support for Cisco (Peter Nixon)
----------------------------------------------------------------------
Message: 1
Date: Thu, 19 Jul 2007 10:36:28 +0530
From: "Govardhana K N" <[EMAIL PROTECTED]>
Subject: Problem in EAP-TLS Authentication
To: FreeRadius <freeradius-users@lists.freeradius.org>
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
Hi,
I was trying to configure EAP with TLS/TTlS. After enabling TLS/TTLS in "
eap.conf", I tried sending an Radius Access-Request with EAP-Identitye
response. The Server is crashing becoz of segmentation fault. The debug
lod
from the server is given below.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
cheux301:/etc/freeradius# freeradius -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/freeradius/proxy.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/eap.conf
Config: including file: /etc/freeradius/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/freeradius"
main: libdir = "/usr/lib/freeradius:/usr/local/lib"
main: radacctdir = "/var/log/freeradius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/var/log/freeradius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/freeradius/freeradius.pid"
main: bind_address = 127.0.0.1 IP address [127.0.0.1]
main: user = "freerad"
main: group = "freerad"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius:/usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "/etc/passwd"
unix: shadow = "/etc/shadow"
unix: group = "/etc/group"
unix: radwtmp = "/var/log/freeradius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/freeradius/certs/cert-srv.pem"
tls: certificate_file = "/etc/freeradius/certs/cert-srv.pem"
tls: CA_file = "/etc/freeradius/certs/demoCA/cacert.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/etc/freeradius/certs/dh"
tls: random_file = "/etc/freeradius/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = yes
tls: check_cert_cn = "%{User-Name}"
tls: cipher_list = "DEFAULT"
tls: check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = "md5"
ttls: copy_request_to_tunnel = no
ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/freeradius/huntgroups"
preprocess: hints = "/etc/freeradius/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/freeradius/users"
files: acctusersfile = "/etc/freeradius/acct_users"
files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/freeradius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication 127.0.0.1:1812
Listening on accounting 127.0.0.1:1813
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32823, id=217,
length=95
User-Name = "jrc"
NAS-Identifier = "jrcnas"
NAS-Port-Type = Ethernet
CUI = "0"
Service-Type = Framed-User
Framed-MTU = 1400
Calling-Station-Id = "1:1:1:1:1:1"
Message-Authenticator = 0x2568987af6f31763f9199f8067fafee1
EAP-Message = 0x02d20008016a7263
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
Segmentation fault
cheux301:/etc/freeradius#
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--
Thanks & Regards,
Govardhana K N
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/d5a2969f/attachment-0001.html
------------------------------
Message: 2
Date: Thu, 19 Jul 2007 17:59:54 +1200
From: "Pshem Kowalczyk" <[EMAIL PROTECTED]>
Subject: Re: Quirky question about rewriting usernames
To: "FreeRadius users mailing list"
<freeradius-users@lists.freeradius.org>
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset=UTF-8; format=flowed
Hi
On 19/07/07, Cliff Cole <[EMAIL PROTECTED]> wrote:
> Hello all.
>
> Here is my issue. This is very weird and would only affect one NAS.
> I'm not sure freeradius is capable of this. I want a username that
> comes in to check for an @domainname. If the domainname is there I
> want it to be stripped and added back later. If the domainname is not
> there I'd like it to continue and have to domainname added later in
> the authentication process. I hope this makes sense and any help is
> appreciated
What do you mean by 'later' you can definitely check for the presence
of domain, you can strip it and add it again. you just have to define
the flow. rlm_attr will be of help to you (for both stripping and
adding).
kind regards
Pshem
------------------------------
Message: 3
Date: Thu, 19 Jul 2007 14:33:13 +0530
From: "ashish verma" <[EMAIL PROTECTED]>
Subject: Support for Cisco
To: freeradius-users@lists.freeradius.org
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-1"
Hi all,
I am trying to configure "free radius" for some Cisco devices.
till now i am able to authenticate using the radius server and i am
getting
into user level or privilege level depending on the attribute i am
defining.
Now what i am looking for is authorization.
There is something called "Cisco-AV priv" attribute through which one can
define privilege level from 1 to 15. But i am not able to define it in
"users file".
Can anyone tell me how to define this or whether we can define this kind
of
attribute in freeradius or not?
Thanks in advance,
Ashish
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/17ebaf12/attachment-0001.html
------------------------------
Message: 4
Date: Thu, 19 Jul 2007 10:14:49 +0100
From: <[EMAIL PROTECTED]>
Subject: Re: Support for Cisco
To: "FreeRadius users mailing list"
<freeradius-users@lists.freeradius.org>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-2
Use proper format:
Cisco-AVPair = "priv-lvl=levelnumber"
Ivan Kalik
Kalik Informatika ISP
Dana 19/7/2007, "ashish verma" <[EMAIL PROTECTED]> pi?e:
>Hi all,
>
>I am trying to configure "free radius" for some Cisco devices.
>till now i am able to authenticate using the radius server and i am
getting
>into user level or privilege level depending on the attribute i am
defining.
>Now what i am looking for is authorization.
>There is something called "Cisco-AV priv" attribute through which one can
>define privilege level from 1 to 15. But i am not able to define it in
>"users file".
>Can anyone tell me how to define this or whether we can define this kind
of
>attribute in freeradius or not?
>
>Thanks in advance,
>Ashish
>
>
------------------------------
Message: 5
Date: Thu, 19 Jul 2007 12:20:04 +0300
From: Peter Nixon <[EMAIL PROTECTED]>
Subject: Re: Support for Cisco
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="iso-8859-9"
On Thu 19 Jul 2007, ashish verma wrote:
> Hi all,
>
> I am trying to configure "free radius" for some Cisco devices.
> till now i am able to authenticate using the radius server and i am
> getting into user level or privilege level depending on the attribute i
am
> defining. Now what i am looking for is authorization.
> There is something called "Cisco-AV priv" attribute through which one
can
> define privilege level from 1 to 15. But i am not able to define it in
> "users file".
> Can anyone tell me how to define this or whether we can define this kind
> of attribute in freeradius or not?
http://wiki.freeradius.org/Cisco#Per_User_Privilege_Level
--
Peter Nixon
http://peternixon.net/
------------------------------
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 27, Issue 116
*************************************************
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
