Hi all, Thanks for the reply. i was just missing " ".
Well another problem here.. i have defined a priv level 7 in the switch. ran the following commands. privilege configure level 7 snmp-server host privilege configure level 7 snmp-server enable privilege configure level 7 snmp-server privilege exec level 7 ping ! But still the user is able to run all the commands. here is my user file conf user Auth-Type :=Local, User-Password == "user" Service-Type = NAS-Prompt-User, Login-Service = ssh, Cisco-avpair = "Shell:priv-lvl=7" On 7/19/07, [EMAIL PROTECTED] < [EMAIL PROTECTED]> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Problem in EAP-TLS Authentication (Govardhana K N) 2. Re: Quirky question about rewriting usernames (Pshem Kowalczyk) 3. Support for Cisco (ashish verma) 4. Re: Support for Cisco ([EMAIL PROTECTED]) 5. Re: Support for Cisco (Peter Nixon) ---------------------------------------------------------------------- Message: 1 Date: Thu, 19 Jul 2007 10:36:28 +0530 From: "Govardhana K N" <[EMAIL PROTECTED]> Subject: Problem in EAP-TLS Authentication To: FreeRadius <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-1" Hi, I was trying to configure EAP with TLS/TTlS. After enabling TLS/TTLS in " eap.conf", I tried sending an Radius Access-Request with EAP-Identitye response. The Server is crashing becoz of segmentation fault. The debug lod from the server is given below. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cheux301:/etc/freeradius# freeradius -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius:/usr/local/lib" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/freeradius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/freeradius/freeradius.pid" main: bind_address = 127.0.0.1 IP address [127.0.0.1] main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius:/usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/freeradius/certs/cert-srv.pem" tls: certificate_file = "/etc/freeradius/certs/cert-srv.pem" tls: CA_file = "/etc/freeradius/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/freeradius/certs/dh" tls: random_file = "/etc/freeradius/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = "%{User-Name}" tls: cipher_list = "DEFAULT" tls: check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups" preprocess: hints = "/etc/freeradius/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/freeradius/users" files: acctusersfile = "/etc/freeradius/acct_users" files: preproxy_usersfile = "/etc/freeradius/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication 127.0.0.1:1812 Listening on accounting 127.0.0.1:1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32823, id=217, length=95 User-Name = "jrc" NAS-Identifier = "jrcnas" NAS-Port-Type = Ethernet CUI = "0" Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = "1:1:1:1:1:1" Message-Authenticator = 0x2568987af6f31763f9199f8067fafee1 EAP-Message = 0x02d20008016a7263 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 Segmentation fault cheux301:/etc/freeradius# ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -- Thanks & Regards, Govardhana K N -------------- next part -------------- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/d5a2969f/attachment-0001.html ------------------------------ Message: 2 Date: Thu, 19 Jul 2007 17:59:54 +1200 From: "Pshem Kowalczyk" <[EMAIL PROTECTED]> Subject: Re: Quirky question about rewriting usernames To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=UTF-8; format=flowed Hi On 19/07/07, Cliff Cole <[EMAIL PROTECTED]> wrote: > Hello all. > > Here is my issue. This is very weird and would only affect one NAS. > I'm not sure freeradius is capable of this. I want a username that > comes in to check for an @domainname. If the domainname is there I > want it to be stripped and added back later. If the domainname is not > there I'd like it to continue and have to domainname added later in > the authentication process. I hope this makes sense and any help is > appreciated What do you mean by 'later' you can definitely check for the presence of domain, you can strip it and add it again. you just have to define the flow. rlm_attr will be of help to you (for both stripping and adding). kind regards Pshem ------------------------------ Message: 3 Date: Thu, 19 Jul 2007 14:33:13 +0530 From: "ashish verma" <[EMAIL PROTECTED]> Subject: Support for Cisco To: freeradius-users@lists.freeradius.org Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-1" Hi all, I am trying to configure "free radius" for some Cisco devices. till now i am able to authenticate using the radius server and i am getting into user level or privilege level depending on the attribute i am defining. Now what i am looking for is authorization. There is something called "Cisco-AV priv" attribute through which one can define privilege level from 1 to 15. But i am not able to define it in "users file". Can anyone tell me how to define this or whether we can define this kind of attribute in freeradius or not? Thanks in advance, Ashish -------------- next part -------------- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/17ebaf12/attachment-0001.html ------------------------------ Message: 4 Date: Thu, 19 Jul 2007 10:14:49 +0100 From: <[EMAIL PROTECTED]> Subject: Re: Support for Cisco To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-2 Use proper format: Cisco-AVPair = "priv-lvl=levelnumber" Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, "ashish verma" <[EMAIL PROTECTED]> pi?e: >Hi all, > >I am trying to configure "free radius" for some Cisco devices. >till now i am able to authenticate using the radius server and i am getting >into user level or privilege level depending on the attribute i am defining. >Now what i am looking for is authorization. >There is something called "Cisco-AV priv" attribute through which one can >define privilege level from 1 to 15. But i am not able to define it in >"users file". >Can anyone tell me how to define this or whether we can define this kind of >attribute in freeradius or not? > >Thanks in advance, >Ashish > > ------------------------------ Message: 5 Date: Thu, 19 Jul 2007 12:20:04 +0300 From: Peter Nixon <[EMAIL PROTECTED]> Subject: Re: Support for Cisco To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-9" On Thu 19 Jul 2007, ashish verma wrote: > Hi all, > > I am trying to configure "free radius" for some Cisco devices. > till now i am able to authenticate using the radius server and i am > getting into user level or privilege level depending on the attribute i am > defining. Now what i am looking for is authorization. > There is something called "Cisco-AV priv" attribute through which one can > define privilege level from 1 to 15. But i am not able to define it in > "users file". > Can anyone tell me how to define this or whether we can define this kind > of attribute in freeradius or not? http://wiki.freeradius.org/Cisco#Per_User_Privilege_Level -- Peter Nixon http://peternixon.net/ ------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 27, Issue 116 *************************************************
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html