>> test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := >> "098f6bcd4621d373cade4e832627b4f6" >> Login-Service = Telnet, >> Vendor-Specific = Cisco, > > What the HECK is that last line? Why is it there? What do you think >it's doing? > > *Nothing* in any of the documentation leads you to believe that line >is necessary. > > Delete it. > >> Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\"" >> ========================== >> dump_notok_2.cap >> >> test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := >> "098f6bcd4621d373cade4e832627b4f6" >> Login-Service = Telnet, >> Vendor-Specific = 9, > > Delete that line, too. > >> Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\"" >> ========================== >> >> On Cisco Nexus older NXOS Version 4.2 login is possible with the last config >> (dump_notok_2.cap", >> But roles within the av-pairs are ignored. Newer devices (NXOS 4.2 and up) >> will ignore the "AVP too short" >> And takeover the roles from the radius paket. Seems that there was an update >> in the radius implementaion >> to make it more robust. >> >> And as you can see in the dump_ok.cap, "Vendor-Specific=9" was send, even if >> it was not in the config. >> But there is an other cisco av-pair in the config, is this the reason why >> the vendor-id was added to the reply? > > Don't add "Vendor-Specific" to the reply. It's not needed. > > Alan DeKok.
Thanks for your answer. That is exactly what i meaned with "was added automatically". I found this line in the existing radius configuration of the system i took over. But i found nowhere in any documentation if this line was realy needed or not. Googleing shows examples with and without this line. :-( >From my side this thread is completed now. Would you please be so kind to answer my other question? "Devices in more than one huntgroup" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html