Hello all,
I'm having a problem getting users to default to the right privilege level.
aaa authentication login default group radius local
aaa authorization exec default group radius local
radius-server host xx.20.xx.xx auth-port 1645 acct-port 1646
radius-server key 7
privilege exec level 2 enable
DEFAULT Group == radiusfull, Auth-Type = System
CiscoAVPair = shell:priv-lvl=2,
Fall-Through = No
DEFAULT Group == radiusview, Auth-Type = System
CiscoAVPair = shell:priv-lvl=1,
Fall-Through = No
rad_recv: Access-Request packet from host xx.xx.xx.xx:1645, id=30, length=93
User-Name = rsharpe
User-Password = *
Cisco-NAS-Port = tty226
NAS-Port = 226
NAS-Port-Type = Virtual
Calling-Station-Id = xx.xx.xx.xx
NAS-IP-Address = xx.xx.xx.xx
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module preprocess returns ok for request 2
modcall[authorize]: module chap returns noop for request 2
modcall[authorize]: module mschap returns noop for request 2
rlm_realm: No '@' in User-Name = rsharpe, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 2
users: Matched entry DEFAULT at line 54
modcall[authorize]: module files returns ok for request 2
modcall: group authorize returns ok for request 2
rad_check_password: Found Auth-Type System
auth: type System
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
modcall[authenticate]: module unix returns ok for request 2
modcall: group authenticate returns ok for request 2
Sending Access-Accept of id 30 to xx.xx.xx.xx:1645
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 30 with timestamp 43304ea1
Nothing to do. Sleeping until we see a request.
What I am trying to accomplish is to have to two different unix groups
authorized to two different levels. As I'm sure you can see from the
configuration I want to have radiusfull have access to exec level 2
and radiusview have access to exec level 1. I know that the service is
working I can login with my unix account to the router. I have seen
numerous examples about how to do this, and from what I understand it
should work. I also did a packet capture of the communication between
the two devices and I did no see any of the AVPairs in the packet data.
If someone could help and enlighten me that would be great. THANKS!
--
Ryan Sharpe
Junior Technical Analyst
LARG*net
(519) 661-2111 x86356
[EMAIL PROTECTED]
http://www.largnet.on.ca
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html