DEFAULT Huntgroup-Name == Cisco_Huntgroup,
Auth-Type:=ntlm_auth, Ldap-Group == "HelpDesk"
Service-Type:=NAS-Prompt-User,
cisco-avpair:="shell:priv-lvl=1",
Reply-Message := "Authorized Users Only"
is what I'm using. Change priv-lvl to 15 for enable
Rick
At 07:03 PM 12/2/2009, Johnston, Ian wrote:
Content-Class: urn:content-classes:message
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01CA73AC.1AC44E3C"
Hi,
Thanks for Free Radius Im confident it will be just what we need.
I have set it up on a Dell DL360 G5 running
CentOS 2.3 and created simple clients.conf,
raddb.conf and users files. Radtest and logins
from a couple of clients are working well.
However, when I try to move up from the absolute
basics, e.g. to give my user who telnets to a
Cisco switch an enabled priveledge leval it just
doesnt work: the user logons OK but is still at
the plain command prompt. Im sure its
something simple Ive missed and Id be grateful
if you could give me any pointers.
Ive looked through the mailing-list archive,
and although one question is exactly the same
Freeradius and Cisco (cisco-avpair =
"shell:priv-lvl=15" doesn't work) I seem to have
everything they have suggested in the answers?
Thanks in advance for your help.
Regards,
Ian
Here are some cuts from various files:
Switch Config
aaa authentication login nocusers group radius
aaa authorization exec nocusers group radius
aaa session-id common
radius-server host 10.210.27.4 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
line vty 0 4
exec-timeout 60 0
login authentication nocusers
users
dan Cleartext-Password := "password"
Reply-Message = "Hello, %{User-Name}",
Service-Type = Administrative-user,
cisco-avpair = "shell:priv-lvl=15"
ipj Cleartext-Password := "password"
Reply-Message = "Hello, %{User-Name}",
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=15"
I also tried:
dan Cleartext-Password := "password",
Service-Type = Administrative-user, cisco-avpair = "shell:priv-lvl=15"
Reply-Message = "Hello, %{User-Name}",
Service-Type = Administrative-user,
and
dan Cleartext-Password := "password"
Reply-Message = "Hello, %{User-Name}",
Service-Type =
Administrative-user, # and
Shell-user, and login and a few other things !-(
cisco-avpair = "shell:priv-lvl=15"
the login failed with the first alternate and
logged on as a plain user on the second.
Snips from radiusd X output
Sending Access-Accept of id 42 to 10.210.27.2 port 1645
Reply-Message = "Hello, ipj"
Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=15"
Sending Access-Accept of id 43 to 10.210.27.2 port 1645
Reply-Message = "Hello, dan"
Service-Type = Administrative-User
Cisco-AVPair = "shell:priv-lvl=15"
Output from radtest
[r...@radius1 raddb]# radtest dan password radius1:1645 0 testing123
Sending Access-Request of id 33 to 10.210.27.4 port 1645
User-Name = "dan"
User-Password = "password"
NAS-IP-Address = 10.210.27.4
NAS-Port = 0
rad_recv: Access-Request packet from host
10.210.27.4 port 32770, id=33, length=55
User-Name = "dan"
User-Password = "password"
NAS-IP-Address = 10.210.27.4
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry dan at line 11
[files] expand: Hello, %{User-Name} -> Hello, dan
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "password"
[pap] Using clear text password "password"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [dan] (from client radius1 port 0)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 33 to 10.210.27.4 port 32770
Service-Type = Administrative-User
Cisco-AVPair = "shell:priv-lvl=15"
Reply-Message = "Hello, dan"
Finished request 2.
Going to the next request
rad_recv: Access-Accept packet from host
10.210.27.4 port 1645, id=33, length=63
Waking up in 4.9 seconds.
Service-Type = Administrative-User
Cisco-AVPair = "shell:priv-lvl=15"
Reply-Message = "Hello, dan"
[r...@radius1 raddb]# Cleaning up request 2 ID 33 with timestamp +62
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html