Re: Telnet auth against Cisco Router
Looks like you're trying to bring over a users file from a different radius server. Here's what a working entry looks like: "someuser" Auth-Type := Local, Password == "userpassword", NAS-IP-Address==127.0.0.3 Reply-Message = "[myserver] Howdy!", cisco-avpair = "shell:priv-lvl=1" Obviously, that example also is good for ONLY nas 127.0.0.3, but it should give you a running start. (You should leave that cisco-avpair in there; if you don't have it, you can crash Catalyst 5000 series switches running radius on login.) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center "So for the IT Manager Role, you want someone who's absolute crap, looks reasonable on paper, and won't cause too much trouble. ... Well I don't have any MCSEs on my books at the moment, but I could call around."-- Simon Travaglia Thomas Linden <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 11/15/2002 05:47 AM Please respond to freeradius-users To: [EMAIL PROTECTED] cc: Subject:Telnet auth against Cisco Router Hello folks, I successfully installed the freeradius server (version 0.7.1). I configured a cisco router for authenticating telnet access against the radius server. So far, I've got them talking together, but the radius rejects my auth request. here is the entry of my users file: DEFAULT Auth-Type := Local Fall-Through = 1 scip Auth-Type = Local, User-Password = "sack", Service-Type = Login-User, Login-Service = Telnet (that means, I don't want to use /etc/passwd or the like, the password has to be in the users file). Now if I telnet to the cisco, the radius server (started with -X) states: rad_recv: Access-Request packet from host 192.168.yyy.yyy:1645, id=39, length=106 User-Name = "scip" User-Password = "\313\336\337\231:\335$2\241_\242\252\326\333W" NAS-Port = 3 Cisco-AVPair = "interface=tty3" NAS-Port-Type = Virtual Calling-Station-Id = "192.168.***.***" Service-Type = Login-User NAS-IP-Address = 192.168.yyy.yyy modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop rlm_realm: Looking up realm NULL for User-Name = "scip" rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 215 users: Matched scip at 218 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user Login incorrect (No password configured for the user): [scip/sack] (from client routers port 3 cli 192.168.***.***) auth: Failed to validate the user. Login incorrect: [scip/sack] (from client routers port 3 cli 192.168.***.***) Here is, what I see on the cisco side: 20:54:06: RADIUS/ENCODE(0024): ask "Username: " 20:54:06: RADIUS/ENCODE(0024): send packet; GET_USER bb03# 20:54:08: RADIUS/ENCODE(0024): ask "Password: " 20:54:08: RADIUS/ENCODE(0024): send packet; GET_PASSWORD 20:54:09: RADIUS/ENCODE(0024): acct_session_id: 36 20:54:09: RADIUS(0024): sending 20:54:09: RADIUS: Send to unknown id 40 192.168.xxx.xxx:1812, Access-Request, len 106 20:54:09: RADIUS: authenticator 68 7C D8 7B 7C AF 3B 96 - 39 73 88 10 E1 3A 5E 8D 20:54:09: RADIUS: User-Name [1] 6 "scip" 20:54:09: RADIUS: User-Password [2] 18 * 20:54:09: RADIUS: NAS-Port[5] 6 3 20:54:09: RADIUS: Vendor, Cisco [26] 22 20:54:09: RADIUS: Cisco AVpair [1] 16 "interface=tty3" 20:54:09: RADIUS: NAS-Port-Type [61] 6 Virtual [5] bb03# 20:54:09: RADIUS: Calling-Station-Id [31] 16 "192.168.***.***" 20:54:09: RADIUS: Service-Type[6] 6 Login [1] 20:54:09: RADIUS: NAS-IP-Address [4] 6 192.168.yyy.yyy bb03# 20:54:11: RADIUS: Received from id 40 192.168.xxx.xxx:1812, Access-Reject, len 20 20:54:11: RADIUS: authenticator 8B CF FB C9 C3 5D 00 B0 - DF BD 52 66 0A 08 C7 02 20:54:11: RADIUS: Received from id 24 20:54:11: RADIUS/DECODE: parse response short packet; IGNORE my question: how can I get freeradius to let me telnet into the cisco router? why does it claim that there is no password set, although it's defined in the users file? thanks in advance, Tom -- Thomas Linden <[EMAIL PROTECTED]>, I Z B Informatik-Zentrum Muenchen-Frankfurt a.M. GmbH & Co.KG, Internet Service Providing OE532 Tel:089/2171-27998, Fax:089/2171-27995, http://www.izb.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Telnet auth against Cisco Router
--- Thomas Linden <[EMAIL PROTECTED]> wrote: > Hello folks, > > I successfully installed the freeradius server > (version 0.7.1). > > I configured a cisco router for authenticating > telnet access against > the radius server. So far, I've got them talking > together, but > the radius rejects my auth request. > > here is the entry of my users file: > > DEFAULT Auth-Type := Local > Fall-Through = 1 > > scip > Auth-Type = Local, > User-Password = "sack", > Service-Type = Login-User, > Login-Service = Telnet > > (that means, I don't want to use /etc/passwd or the > like, > the password has to be in the users file). > > > Now if I telnet to the cisco, the radius server > (started > with -X) states: > > rad_recv: Access-Request packet from host > 192.168.yyy.yyy:1645, id=39, length=106 > User-Name = "scip" > User-Password = > "\313\336\337\231:\335$2\241_\242\252\326\333W" > NAS-Port = 3 > Cisco-AVPair = "interface=tty3" > NAS-Port-Type = Virtual > Calling-Station-Id = "192.168.***.***" > Service-Type = Login-User > NAS-IP-Address = 192.168.yyy.yyy > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > rlm_chap: Could not find proper Chap-Password > attribute in request > modcall[authorize]: module "chap" returns noop > rlm_realm: Looking up realm NULL for User-Name = > "scip" > rlm_realm: No such realm NULL > modcall[authorize]: module "suffix" returns noop > users: Matched DEFAULT at 215 > users: Matched scip at 218 > modcall[authorize]: module "files" returns ok > modcall: group authorize returns ok > rad_check_password: Found Auth-Type Local > auth: type Local > auth: No password configured for the user > Login incorrect (No password configured for the Ofcourse you do not have a password configured for the user. "User-Password is a radcheck item and should go on the same line as the username. > user): [scip/sack] (from client routers port 3 cli > 192.168.***.***) > auth: Failed to validate the user. > Login incorrect: [scip/sack] (from client routers > port 3 cli 192.168.***.***) > > > Here is, what I see on the cisco side: > > 20:54:06: RADIUS/ENCODE(0024): ask "Username: " > 20:54:06: RADIUS/ENCODE(0024): send packet; > GET_USER > bb03# > 20:54:08: RADIUS/ENCODE(0024): ask "Password: " > 20:54:08: RADIUS/ENCODE(0024): send packet; > GET_PASSWORD > 20:54:09: RADIUS/ENCODE(0024): acct_session_id: > 36 > 20:54:09: RADIUS(0024): sending > 20:54:09: RADIUS: Send to unknown id 40 > 192.168.xxx.xxx:1812, Access-Request, len 106 > 20:54:09: RADIUS: authenticator 68 7C D8 7B 7C AF > 3B 96 - 39 73 88 10 E1 3A 5E 8D > 20:54:09: RADIUS: User-Name [1] 6 > "scip" > 20:54:09: RADIUS: User-Password [2] 18 * > 20:54:09: RADIUS: NAS-Port[5] 6 3 > > 20:54:09: RADIUS: Vendor, Cisco [26] 22 > 20:54:09: RADIUS: Cisco AVpair [1] 16 > "interface=tty3" > 20:54:09: RADIUS: NAS-Port-Type [61] 6 > Virtual [5] > bb03# > 20:54:09: RADIUS: Calling-Station-Id [31] 16 > "192.168.***.***" > 20:54:09: RADIUS: Service-Type[6] 6 > Login [1] > 20:54:09: RADIUS: NAS-IP-Address [4] 6 > 192.168.yyy.yyy > bb03# > 20:54:11: RADIUS: Received from id 40 > 192.168.xxx.xxx:1812, Access-Reject, len 20 > 20:54:11: RADIUS: authenticator 8B CF FB C9 C3 5D > 00 B0 - DF BD 52 66 0A 08 C7 02 > 20:54:11: RADIUS: Received from id 24 > 20:54:11: RADIUS/DECODE: parse response short > packet; IGNORE > > > > my question: how can I get freeradius to let me > telnet into the > cisco router? why does it claim that there is no > password set, > although it's defined in the users file? > > > thanks in advance, > > Tom > > -- > Thomas Linden <[EMAIL PROTECTED]>, I Z B > Informatik-Zentrum > Muenchen-Frankfurt a.M. GmbH & Co.KG, Internet > Service Providing > OE532 Tel:089/2171-27998, Fax:089/2171-27995, > http://www.izb.de > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Telnet auth against Cisco Router
Hello folks, I successfully installed the freeradius server (version 0.7.1). I configured a cisco router for authenticating telnet access against the radius server. So far, I've got them talking together, but the radius rejects my auth request. here is the entry of my users file: DEFAULT Auth-Type := Local Fall-Through = 1 scip Auth-Type = Local, User-Password = "sack", Service-Type = Login-User, Login-Service = Telnet (that means, I don't want to use /etc/passwd or the like, the password has to be in the users file). Now if I telnet to the cisco, the radius server (started with -X) states: rad_recv: Access-Request packet from host 192.168.yyy.yyy:1645, id=39, length=106 User-Name = "scip" User-Password = "\313\336\337\231:\335$2\241_\242\252\326\333W" NAS-Port = 3 Cisco-AVPair = "interface=tty3" NAS-Port-Type = Virtual Calling-Station-Id = "192.168.***.***" Service-Type = Login-User NAS-IP-Address = 192.168.yyy.yyy modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop rlm_realm: Looking up realm NULL for User-Name = "scip" rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 215 users: Matched scip at 218 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user Login incorrect (No password configured for the user): [scip/sack] (from client routers port 3 cli 192.168.***.***) auth: Failed to validate the user. Login incorrect: [scip/sack] (from client routers port 3 cli 192.168.***.***) Here is, what I see on the cisco side: 20:54:06: RADIUS/ENCODE(0024): ask "Username: " 20:54:06: RADIUS/ENCODE(0024): send packet; GET_USER bb03# 20:54:08: RADIUS/ENCODE(0024): ask "Password: " 20:54:08: RADIUS/ENCODE(0024): send packet; GET_PASSWORD 20:54:09: RADIUS/ENCODE(0024): acct_session_id: 36 20:54:09: RADIUS(0024): sending 20:54:09: RADIUS: Send to unknown id 40 192.168.xxx.xxx:1812, Access-Request, len 106 20:54:09: RADIUS: authenticator 68 7C D8 7B 7C AF 3B 96 - 39 73 88 10 E1 3A 5E 8D 20:54:09: RADIUS: User-Name [1] 6 "scip" 20:54:09: RADIUS: User-Password [2] 18 * 20:54:09: RADIUS: NAS-Port[5] 6 3 20:54:09: RADIUS: Vendor, Cisco [26] 22 20:54:09: RADIUS: Cisco AVpair [1] 16 "interface=tty3" 20:54:09: RADIUS: NAS-Port-Type [61] 6 Virtual [5] bb03# 20:54:09: RADIUS: Calling-Station-Id [31] 16 "192.168.***.***" 20:54:09: RADIUS: Service-Type[6] 6 Login [1] 20:54:09: RADIUS: NAS-IP-Address [4] 6 192.168.yyy.yyy bb03# 20:54:11: RADIUS: Received from id 40 192.168.xxx.xxx:1812, Access-Reject, len 20 20:54:11: RADIUS: authenticator 8B CF FB C9 C3 5D 00 B0 - DF BD 52 66 0A 08 C7 02 20:54:11: RADIUS: Received from id 24 20:54:11: RADIUS/DECODE: parse response short packet; IGNORE my question: how can I get freeradius to let me telnet into the cisco router? why does it claim that there is no password set, although it's defined in the users file? thanks in advance, Tom -- Thomas Linden <[EMAIL PROTECTED]>, I Z B Informatik-Zentrum Muenchen-Frankfurt a.M. GmbH & Co.KG, Internet Service Providing OE532 Tel:089/2171-27998, Fax:089/2171-27995, http://www.izb.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html