jan.gnep...@t-systems.com wrote: > test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := > "098f6bcd4621d373cade4e832627b4f6" > Login-Service = Telnet, > Vendor-Specific = Cisco,
What the HECK is that last line? Why is it there? What do you think it's doing? *Nothing* in any of the documentation leads you to believe that line is necessary. Delete it. > Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\"" > ========================== > dump_notok_2.cap > > test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := > "098f6bcd4621d373cade4e832627b4f6" > Login-Service = Telnet, > Vendor-Specific = 9, Delete that line, too. > Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\"" > ========================== > > On Cisco Nexus older NXOS Version 4.2 login is possible with the last config > (dump_notok_2.cap", > But roles within the av-pairs are ignored. Newer devices (NXOS 4.2 and up) > will ignore the "AVP too short" > And takeover the roles from the radius paket. Seems that there was an update > in the radius implementaion > to make it more robust. > > And as you can see in the dump_ok.cap, "Vendor-Specific=9" was send, even if > it was not in the config. > But there is an other cisco av-pair in the config, is this the reason why the > vendor-id was added to the reply? Don't add "Vendor-Specific" to the reply. It's not needed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html