DEFAULT Huntgroup-Name == Cisco_Huntgroup, Auth-Type:=ntlm_auth, Ldap-Group == "HelpDesk"
        Service-Type:=NAS-Prompt-User,
        cisco-avpair:="shell:priv-lvl=1",
        Reply-Message := "Authorized Users Only"


is what I'm using. Change priv-lvl to 15 for enable

Rick

At 07:03 PM 12/2/2009, Johnston, Ian wrote:
Content-Class: urn:content-classes:message
Content-Type: multipart/alternative;
        boundary="----_=_NextPart_001_01CA73AC.1AC44E3C"

Hi,

Thanks for Free Radius – I’m confident it will be just what we need.

I have set it up on a Dell DL360 G5 running CentOS 2.3 and created simple clients.conf, raddb.conf and users files. Radtest and logins from a couple of clients are working well. However, when I try to move up from the absolute basics, e.g. to give my user who telnets to a Cisco switch an enabled priveledge leval it just doesn’t work: the user logons OK but is still at the plain command prompt. I’m sure it’s something simple I’ve missed and I’d be grateful if you could give me any pointers.

I’ve looked through the mailing-list archive, and although one question is exactly the same Freeradius and Cisco (cisco-avpair = "shell:priv-lvl=15" doesn't work) I seem to have everything they have suggested in the answers?

Thanks in advance for your help.



Regards,

Ian



Here are some cuts from various files:

Switch Config

aaa authentication login nocusers group radius

aaa authorization exec nocusers group radius

aaa session-id common

radius-server host 10.210.27.4 auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

line vty 0 4

   exec-timeout 60 0

   login authentication nocusers









users

dan     Cleartext-Password := "password"

        Reply-Message = "Hello, %{User-Name}",

        Service-Type = Administrative-user,

        cisco-avpair = "shell:priv-lvl=15"



ipj     Cleartext-Password := "password"

        Reply-Message = "Hello, %{User-Name}",

        Service-Type = NAS-Prompt-User,

        cisco-avpair = "shell:priv-lvl=15"



I also tried:

dan Cleartext-Password := "password", Service-Type = Administrative-user, cisco-avpair = "shell:priv-lvl=15"

        Reply-Message = "Hello, %{User-Name}",

        Service-Type = Administrative-user,



and

dan     Cleartext-Password := "password"

        Reply-Message = "Hello, %{User-Name}",

Service-Type = “Administrative-user”, # and Shell-user, and login and a few other things !-(

        cisco-avpair = "shell:priv-lvl=15"



the login failed with the first alternate and logged on as a plain user on the second.













Snips from radiusd –X output

Sending Access-Accept of id 42 to 10.210.27.2 port 1645

        Reply-Message = "Hello, ipj"

        Service-Type = NAS-Prompt-User

        Cisco-AVPair = "shell:priv-lvl=15"



Sending Access-Accept of id 43 to 10.210.27.2 port 1645

        Reply-Message = "Hello, dan"

        Service-Type = Administrative-User

        Cisco-AVPair = "shell:priv-lvl=15"











Output from radtest

[r...@radius1 raddb]# radtest dan password radius1:1645 0 testing123

Sending Access-Request of id 33 to 10.210.27.4 port 1645

        User-Name = "dan"

        User-Password = "password"

        NAS-IP-Address = 10.210.27.4

        NAS-Port = 0

rad_recv: Access-Request packet from host 10.210.27.4 port 32770, id=33, length=55

        User-Name = "dan"

        User-Password = "password"

        NAS-IP-Address = 10.210.27.4

        NAS-Port = 0

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] No '@' in User-Name = "dan", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

++[unix] returns notfound

[files] users: Matched entry dan at line 11

[files]         expand: Hello, %{User-Name} -> Hello, dan

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

++[pap] returns updated

Found Auth-Type = PAP

+- entering group PAP {...}

[pap] login attempt with password "password"

[pap] Using clear text password "password"

[pap] User authenticated successfully

++[pap] returns ok

Login OK: [dan] (from client radius1 port 0)

+- entering group post-auth {...}

++[exec] returns noop

Sending Access-Accept of id 33 to 10.210.27.4 port 32770

        Service-Type = Administrative-User

        Cisco-AVPair = "shell:priv-lvl=15"

        Reply-Message = "Hello, dan"

Finished request 2.

Going to the next request

rad_recv: Access-Accept packet from host 10.210.27.4 port 1645, id=33, length=63

Waking up in 4.9 seconds.

        Service-Type = Administrative-User

        Cisco-AVPair = "shell:priv-lvl=15"

        Reply-Message = "Hello, dan"

[r...@radius1 raddb]# Cleaning up request 2 ID 33 with timestamp +62

Ready to process requests.




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to