Re: Telnet auth against Cisco Router
Looks like you're trying to bring over a users file from a different
radius server. Here's what a working entry looks like:
"someuser" Auth-Type := Local, Password == "userpassword",
NAS-IP-Address==127.0.0.3
Reply-Message = "[myserver] Howdy!",
cisco-avpair = "shell:priv-lvl=1"
Obviously, that example also is good for ONLY nas 127.0.0.3, but it should
give you a running start.
(You should leave that cisco-avpair in there; if you don't have it, you
can crash Catalyst 5000 series switches running radius on login.)
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
"So for the IT Manager Role, you want someone who's absolute crap, looks
reasonable on paper, and won't cause too much trouble. ... Well I don't
have any MCSEs on my books at the moment, but I could call around."--
Simon Travaglia
Thomas Linden <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
11/15/2002 05:47 AM
Please respond to freeradius-users
To: [EMAIL PROTECTED]
cc:
Subject:Telnet auth against Cisco Router
Hello folks,
I successfully installed the freeradius server (version 0.7.1).
I configured a cisco router for authenticating telnet access against
the radius server. So far, I've got them talking together, but
the radius rejects my auth request.
here is the entry of my users file:
DEFAULT Auth-Type := Local
Fall-Through = 1
scip
Auth-Type = Local,
User-Password = "sack",
Service-Type = Login-User,
Login-Service = Telnet
(that means, I don't want to use /etc/passwd or the like,
the password has to be in the users file).
Now if I telnet to the cisco, the radius server (started
with -X) states:
rad_recv: Access-Request packet from host 192.168.yyy.yyy:1645, id=39,
length=106
User-Name = "scip"
User-Password = "\313\336\337\231:\335$2\241_\242\252\326\333W"
NAS-Port = 3
Cisco-AVPair = "interface=tty3"
NAS-Port-Type = Virtual
Calling-Station-Id = "192.168.***.***"
Service-Type = Login-User
NAS-IP-Address = 192.168.yyy.yyy
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
rlm_realm: Looking up realm NULL for User-Name = "scip"
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 215
users: Matched scip at 218
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Local
auth: type Local
auth: No password configured for the user
Login incorrect (No password configured for the user): [scip/sack] (from
client routers port 3 cli 192.168.***.***)
auth: Failed to validate the user.
Login incorrect: [scip/sack] (from client routers port 3 cli
192.168.***.***)
Here is, what I see on the cisco side:
20:54:06: RADIUS/ENCODE(0024): ask "Username: "
20:54:06: RADIUS/ENCODE(0024): send packet; GET_USER
bb03#
20:54:08: RADIUS/ENCODE(0024): ask "Password: "
20:54:08: RADIUS/ENCODE(0024): send packet; GET_PASSWORD
20:54:09: RADIUS/ENCODE(0024): acct_session_id: 36
20:54:09: RADIUS(0024): sending
20:54:09: RADIUS: Send to unknown id 40 192.168.xxx.xxx:1812,
Access-Request, len 106
20:54:09: RADIUS: authenticator 68 7C D8 7B 7C AF 3B 96 - 39 73 88 10 E1
3A 5E 8D
20:54:09: RADIUS: User-Name [1] 6 "scip"
20:54:09: RADIUS: User-Password [2] 18 *
20:54:09: RADIUS: NAS-Port[5] 6 3
20:54:09: RADIUS: Vendor, Cisco [26] 22
20:54:09: RADIUS: Cisco AVpair [1] 16 "interface=tty3"
20:54:09: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
bb03#
20:54:09: RADIUS: Calling-Station-Id [31] 16 "192.168.***.***"
20:54:09: RADIUS: Service-Type[6] 6 Login [1]
20:54:09: RADIUS: NAS-IP-Address [4] 6 192.168.yyy.yyy
bb03#
20:54:11: RADIUS: Received from id 40 192.168.xxx.xxx:1812, Access-Reject,
len 20
20:54:11: RADIUS: authenticator 8B CF FB C9 C3 5D 00 B0 - DF BD 52 66 0A
08 C7 02
20:54:11: RADIUS: Received from id 24
20:54:11: RADIUS/DECODE: parse response short packet; IGNORE
my question: how can I get freeradius to let me telnet into the
cisco router? why does it claim that there is no password set,
although it's defined in the users file?
thanks in advance,
Tom
--
Thomas Linden <[EMAIL PROTECTED]>, I Z B Informatik-Zentrum
Muenchen-Frankfurt a.M. GmbH & Co.KG, Internet Service Providing
OE532 Tel:089/2171-27998, Fax:089/2171-27995, http://www.izb.de
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Telnet auth against Cisco Router
--- Thomas Linden <[EMAIL PROTECTED]> wrote: > Hello folks, > > I successfully installed the freeradius server > (version 0.7.1). > > I configured a cisco router for authenticating > telnet access against > the radius server. So far, I've got them talking > together, but > the radius rejects my auth request. > > here is the entry of my users file: > > DEFAULT Auth-Type := Local > Fall-Through = 1 > > scip > Auth-Type = Local, > User-Password = "sack", > Service-Type = Login-User, > Login-Service = Telnet > > (that means, I don't want to use /etc/passwd or the > like, > the password has to be in the users file). > > > Now if I telnet to the cisco, the radius server > (started > with -X) states: > > rad_recv: Access-Request packet from host > 192.168.yyy.yyy:1645, id=39, length=106 > User-Name = "scip" > User-Password = > "\313\336\337\231:\335$2\241_\242\252\326\333W" > NAS-Port = 3 > Cisco-AVPair = "interface=tty3" > NAS-Port-Type = Virtual > Calling-Station-Id = "192.168.***.***" > Service-Type = Login-User > NAS-IP-Address = 192.168.yyy.yyy > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > rlm_chap: Could not find proper Chap-Password > attribute in request > modcall[authorize]: module "chap" returns noop > rlm_realm: Looking up realm NULL for User-Name = > "scip" > rlm_realm: No such realm NULL > modcall[authorize]: module "suffix" returns noop > users: Matched DEFAULT at 215 > users: Matched scip at 218 > modcall[authorize]: module "files" returns ok > modcall: group authorize returns ok > rad_check_password: Found Auth-Type Local > auth: type Local > auth: No password configured for the user > Login incorrect (No password configured for the Ofcourse you do not have a password configured for the user. "User-Password is a radcheck item and should go on the same line as the username. > user): [scip/sack] (from client routers port 3 cli > 192.168.***.***) > auth: Failed to validate the user. > Login incorrect: [scip/sack] (from client routers > port 3 cli 192.168.***.***) > > > Here is, what I see on the cisco side: > > 20:54:06: RADIUS/ENCODE(0024): ask "Username: " > 20:54:06: RADIUS/ENCODE(0024): send packet; > GET_USER > bb03# > 20:54:08: RADIUS/ENCODE(0024): ask "Password: " > 20:54:08: RADIUS/ENCODE(0024): send packet; > GET_PASSWORD > 20:54:09: RADIUS/ENCODE(0024): acct_session_id: > 36 > 20:54:09: RADIUS(0024): sending > 20:54:09: RADIUS: Send to unknown id 40 > 192.168.xxx.xxx:1812, Access-Request, len 106 > 20:54:09: RADIUS: authenticator 68 7C D8 7B 7C AF > 3B 96 - 39 73 88 10 E1 3A 5E 8D > 20:54:09: RADIUS: User-Name [1] 6 > "scip" > 20:54:09: RADIUS: User-Password [2] 18 * > 20:54:09: RADIUS: NAS-Port[5] 6 3 > > 20:54:09: RADIUS: Vendor, Cisco [26] 22 > 20:54:09: RADIUS: Cisco AVpair [1] 16 > "interface=tty3" > 20:54:09: RADIUS: NAS-Port-Type [61] 6 > Virtual [5] > bb03# > 20:54:09: RADIUS: Calling-Station-Id [31] 16 > "192.168.***.***" > 20:54:09: RADIUS: Service-Type[6] 6 > Login [1] > 20:54:09: RADIUS: NAS-IP-Address [4] 6 > 192.168.yyy.yyy > bb03# > 20:54:11: RADIUS: Received from id 40 > 192.168.xxx.xxx:1812, Access-Reject, len 20 > 20:54:11: RADIUS: authenticator 8B CF FB C9 C3 5D > 00 B0 - DF BD 52 66 0A 08 C7 02 > 20:54:11: RADIUS: Received from id 24 > 20:54:11: RADIUS/DECODE: parse response short > packet; IGNORE > > > > my question: how can I get freeradius to let me > telnet into the > cisco router? why does it claim that there is no > password set, > although it's defined in the users file? > > > thanks in advance, > > Tom > > -- > Thomas Linden <[EMAIL PROTECTED]>, I Z B > Informatik-Zentrum > Muenchen-Frankfurt a.M. GmbH & Co.KG, Internet > Service Providing > OE532 Tel:089/2171-27998, Fax:089/2171-27995, > http://www.izb.de > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Telnet auth against Cisco Router
Hello folks, I successfully installed the freeradius server (version 0.7.1). I configured a cisco router for authenticating telnet access against the radius server. So far, I've got them talking together, but the radius rejects my auth request. here is the entry of my users file: DEFAULT Auth-Type := Local Fall-Through = 1 scip Auth-Type = Local, User-Password = "sack", Service-Type = Login-User, Login-Service = Telnet (that means, I don't want to use /etc/passwd or the like, the password has to be in the users file). Now if I telnet to the cisco, the radius server (started with -X) states: rad_recv: Access-Request packet from host 192.168.yyy.yyy:1645, id=39, length=106 User-Name = "scip" User-Password = "\313\336\337\231:\335$2\241_\242\252\326\333W" NAS-Port = 3 Cisco-AVPair = "interface=tty3" NAS-Port-Type = Virtual Calling-Station-Id = "192.168.***.***" Service-Type = Login-User NAS-IP-Address = 192.168.yyy.yyy modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop rlm_realm: Looking up realm NULL for User-Name = "scip" rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 215 users: Matched scip at 218 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: No password configured for the user Login incorrect (No password configured for the user): [scip/sack] (from client routers port 3 cli 192.168.***.***) auth: Failed to validate the user. Login incorrect: [scip/sack] (from client routers port 3 cli 192.168.***.***) Here is, what I see on the cisco side: 20:54:06: RADIUS/ENCODE(0024): ask "Username: " 20:54:06: RADIUS/ENCODE(0024): send packet; GET_USER bb03# 20:54:08: RADIUS/ENCODE(0024): ask "Password: " 20:54:08: RADIUS/ENCODE(0024): send packet; GET_PASSWORD 20:54:09: RADIUS/ENCODE(0024): acct_session_id: 36 20:54:09: RADIUS(0024): sending 20:54:09: RADIUS: Send to unknown id 40 192.168.xxx.xxx:1812, Access-Request, len 106 20:54:09: RADIUS: authenticator 68 7C D8 7B 7C AF 3B 96 - 39 73 88 10 E1 3A 5E 8D 20:54:09: RADIUS: User-Name [1] 6 "scip" 20:54:09: RADIUS: User-Password [2] 18 * 20:54:09: RADIUS: NAS-Port[5] 6 3 20:54:09: RADIUS: Vendor, Cisco [26] 22 20:54:09: RADIUS: Cisco AVpair [1] 16 "interface=tty3" 20:54:09: RADIUS: NAS-Port-Type [61] 6 Virtual [5] bb03# 20:54:09: RADIUS: Calling-Station-Id [31] 16 "192.168.***.***" 20:54:09: RADIUS: Service-Type[6] 6 Login [1] 20:54:09: RADIUS: NAS-IP-Address [4] 6 192.168.yyy.yyy bb03# 20:54:11: RADIUS: Received from id 40 192.168.xxx.xxx:1812, Access-Reject, len 20 20:54:11: RADIUS: authenticator 8B CF FB C9 C3 5D 00 B0 - DF BD 52 66 0A 08 C7 02 20:54:11: RADIUS: Received from id 24 20:54:11: RADIUS/DECODE: parse response short packet; IGNORE my question: how can I get freeradius to let me telnet into the cisco router? why does it claim that there is no password set, although it's defined in the users file? thanks in advance, Tom -- Thomas Linden <[EMAIL PROTECTED]>, I Z B Informatik-Zentrum Muenchen-Frankfurt a.M. GmbH & Co.KG, Internet Service Providing OE532 Tel:089/2171-27998, Fax:089/2171-27995, http://www.izb.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
