Re: How to get vendor-specific attribute value pairs
As a short update on this topic - I thought it might be worth sharing the update since I've been successfull in getting authorized via FR to privileged exec mode on a Netgear GSM7224P (F/W 1.0.1.21). Netgear is based on Broadcom FASTPATH (MIBs tell so) - as do some Dell PowerConnect's and fortunately both CLI and behaviour are very close - they also behave quite similar to Cisco IOS CLI. Some documentation exists on the net how to get SSH login working with PowerConnects but I've not found real examples for Netgears. I was successfully authorized to level 15 when I added a update reply section sending either / or: - Cisco-AVPair:= shell:priv-lvl=15 - Service-Type = Administrative-User It worked with both messages, I've once read that some newer Dells started preferring the second, less Cisco-centric, message but with Netgear's (currently) latest Firmware is seems working with both. On the switch I had to configure radius server address and auth lists (actually Web UI have their own, httplist / httpslist) for Console/Telnet/SSH I also had to set following line to get privilege level 15: aaa authorization exec default radius local * That apparently was helping the switch to understand the message sent by FreeRADIUS. I'll have to clean up things a little but at least this seems to be working now, not more clunky shared $enab15$ user required :-) -- Mathieu * Which is similar to Cisco's 'aaa authorization exec default group radius none' I found here - kudos to: http://lists.freeradius.org/pipermail/freeradius-users/2008-July/029800.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to get vendor-specific attribute value pairs
G'day list I have been tinkering with some Netgear managed L2/L3 switching stuff and got the login working via freeradius (actually quite simple compared to EAP stuff for wireless). But when issuing enable after login, going into what they call Privileged EXEC mode it will - very similar to Cisco - send a request for a user $enab15$ to the radius server when FR doesn't send Cisco own attribute value pair for privileges. At leat defining such a user leads to working elevation to this privileged mode but requires it instead of using the network admin's own password. In general a lot of commands on these Netgears are (very much) simiar to Cisco IOS where one can use shell:priv-lvl=15 avpair during authentication so the Cisco switch/router know privilege level of the logged in user and thus won't ask for a $enab15$ user. FreeRADIUS doesn't have a dictionnary for Netgear stuff yet, I don't think Netgear copied Cisco's own AVpair use, but in case they do have own AV pairs, how do you guys generally identify them? Best regards Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to get vendor-specific attribute value pairs
On 10 Jul 2013, at 12:46, Mathieu Simon mathieu@gmail.com wrote: G'day list I have been tinkering with some Netgear managed L2/L3 switching stuff and got the login working via freeradius (actually quite simple compared to EAP stuff for wireless). But when issuing enable after login, going into what they call Privileged EXEC mode it will - very similar to Cisco - send a request for a user $enab15$ to the radius server when FR doesn't send Cisco own attribute value pair for privileges. At leat defining such a user leads to working elevation to this privileged mode but requires it instead of using the network admin's own password. In general a lot of commands on these Netgears are (very much) simiar to Cisco IOS where one can use shell:priv-lvl=15 avpair during authentication so the Cisco switch/router know privilege level of the logged in user and thus won't ask for a $enab15$ user. FreeRADIUS doesn't have a dictionnary for Netgear stuff yet, I don't think Netgear copied Cisco's own AVpair use, but in case they do have own AV pairs, how do you guys generally identify them? By asking Netgear. There's no way to query the NAS to determine which attributes it supports. Or to decode unknown VSAs into meaningful data. This is not a limitation of FreeRADIUS, but a limitation of the protocol. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to get vendor-specific attribute value pairs
G'day 2013/7/10 Arran Cudbard-Bell a.cudba...@freeradius.org On 10 Jul 2013, at 12:46, Mathieu Simon mathieu@gmail.com wrote: FreeRADIUS doesn't have a dictionnary for Netgear stuff yet, I don't think Netgear copied Cisco's own AVpair use, but in case they do have own AV pairs, how do you guys generally identify them? By asking Netgear. There's no way to query the NAS to determine which attributes it supports. Or to decode unknown VSAs into meaningful data. This is not a limitation of FreeRADIUS, but a limitation of the protocol. Thank you Arran, that's what I suspected but hoped that there would be another way to find out. I'll see if Netgear is willing to approve existence of AV pairs (and if theyre willing to share them). -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to get vendor-specific attribute value pairs
Hi, Thank you Arran, that's what I suspected but hoped that there would be another way to find out. I'll see if Netgear is willing to approve existence of AV pairs (and if theyre willing to share them). on some kit you can run a command to see the VSA list/desc most vendors will document their AV pairs - buried somewhere on their support sites alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html