Re: Problems with Cisco switch and authorization.

[Jeff Davis]

Alan DeKok wrote: Jeff Davis wrote: Sorry - I'm a n00b to this project. Trying to get OpenLDAP-based authentication working (well the auth DOES work) but cannot seem to get authorization working. Googling has so far failed me. Perhaps someone on this list can clue me in... Have you run the server in debug mode as suggested in the FAQ, README, "man" page, etc..? Yes  As far as the radius server is concerned everything is find.  I would agree that the problem is likely on the switch(es).  Just not sure what's missing/extra that's hosing it up. Here's the relevent stuff from the switch. aaa new-model aaa authentication password-prompt PASS: aaa authentication username-prompt USER: aaa authentication login default group radius local aaa authentication login localauth local aaa authentication dot1x default group radius aaa accounting delay-start aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius <snip> radius-server host 10.100.0.15 auth-port 1812 acct-port 1813 radius-server retransmit 3 radius-server timeout 10 radius-server key <myk3y> users file has the following: DEFAULT Service-Type == NAS-Prompt-User Service-Type := NAS-Prompt-User, Cisco-AVPair += "shell:priv-lvl=15" If those attributes are being sent back to the NAS, then fix the NAS so that it follows the instructions sent by the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Jefferson K Davis Technology & Information Systems Manager Standard School District 1200 North Chester Ave Bakersfield, CA 93308 USA 661.392.2110 ext 120

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html