Re: Problems with Cisco switch and authorization. - resolved.
The two things I have changed to get it working are:
in users:
DEFAULT Auth-Type := LDAP
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=15",
Fall-Through = 1
and added on the switch:
aaa authorization exec default group radius local
aaa authorization network default group radius local
Next - ldapgroupfilter.
I have a group of users called "radiususers" - and the following in
radiusd.conf:
groupname_attribute = cn
groupmembership_filter =
((objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
and in users:
DEFAULT LDAP-Group == radiususers
Service-Type = Administrative-User
But any ldap user can sill login regardless of group membership.
Where am I screwing up?
Thanks,
-Jeff
Ivan Kalik wrote:
19:23:13: RADIUS: no appropriate authorization type for user.
I am all but certain this is a self-inflicted wound.
It is. Have a look at your aaa configuration. Do you see an authorization
line anywhere?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Jefferson K Davis
Technology Information Systems Manager
Standard School District
1200 North Chester Ave
Bakersfield, CA 93308
USA
661.392.2110 ext 120
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Cisco switch and authorization.
Jeff Davis wrote: Sorry - I'm a n00b to this project. Trying to get OpenLDAP-based authentication working (well the auth DOES work) but cannot seem to get authorization working. Googling has so far failed me. Perhaps someone on this list can clue me in... Have you run the server in debug mode as suggested in the FAQ, README, man page, etc..? users file has the following: DEFAULT Service-Type == NAS-Prompt-User Service-Type := NAS-Prompt-User, Cisco-AVPair += shell:priv-lvl=15 If those attributes are being sent back to the NAS, then fix the NAS so that it follows the instructions sent by the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems with Cisco switch and authorization.
FYI http://wiki.freeradius.org/Cisco ,maybe it can help you Regards, François -Message d'origine- De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Alan DeKok Envoyé : mercredi 10 juin 2009 10:22 À : FreeRadius users mailing list Objet : Re: Problems with Cisco switch and authorization. Jeff Davis wrote: Sorry - I'm a n00b to this project. Trying to get OpenLDAP-based authentication working (well the auth DOES work) but cannot seem to get authorization working. Googling has so far failed me. Perhaps someone on this list can clue me in... Have you run the server in debug mode as suggested in the FAQ, README, man page, etc..? users file has the following: DEFAULT Service-Type == NAS-Prompt-User Service-Type := NAS-Prompt-User, Cisco-AVPair += shell:priv-lvl=15 If those attributes are being sent back to the NAS, then fix the NAS so that it follows the instructions sent by the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Cisco switch and authorization.
Alan DeKok wrote: Jeff Davis wrote: Sorry - I'm a n00b to this project. Trying to get OpenLDAP-based authentication working (well the auth DOES work) but cannot seem to get authorization working. Googling has so far failed me. Perhaps someone on this list can clue me in... Have you run the server in debug mode as suggested in the FAQ, README, "man" page, etc..? Yes As far as the radius server is concerned everything is find. I would agree that the problem is likely on the switch(es). Just not sure what's missing/extra that's hosing it up. Here's the relevent stuff from the switch. aaa new-model aaa authentication password-prompt PASS: aaa authentication username-prompt USER: aaa authentication login default group radius local aaa authentication login localauth local aaa authentication dot1x default group radius aaa accounting delay-start aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius snip radius-server host 10.100.0.15 auth-port 1812 acct-port 1813 radius-server retransmit 3 radius-server timeout 10 radius-server key myk3y users file has the following: DEFAULT Service-Type == NAS-Prompt-User Service-Type := NAS-Prompt-User, Cisco-AVPair += "shell:priv-lvl=15" If those attributes are being sent back to the NAS, then fix the NAS so that it follows the instructions sent by the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Jefferson K Davis Technology Information Systems Manager Standard School District 1200 North Chester Ave Bakersfield, CA 93308 USA 661.392.2110 ext 120 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Cisco switch and authorization.
Also getting the following on the switch log: 19:23:13: tty2 AAA/AUTHOR/EXEC (4066001896): send AV service=shell 19:23:13: tty2 AAA/AUTHOR/EXEC (4066001896): send AV cmd* 19:23:13: tty2 AAA/AUTHOR/EXEC (4066001896): found list "default" 19:23:13: tty2 AAA/AUTHOR/EXEC (4066001896): Method=radius (radius) 19:23:13: RADIUS: no appropriate authorization type for user. I am all but certain this is a self-inflicted wound. At least those are easier to fix once their nature is known. I currently have no attributes in my openldap tree populated... will eventually add a group filter when I get this authotization piece working. Could the problem be ldap-related or switch or ??? I'm stumped. I can't imagine no one has dealt with this before. Alan DeKok wrote: Jeff Davis wrote: Sorry - I'm a n00b to this project. Trying to get OpenLDAP-based authentication working (well the auth DOES work) but cannot seem to get authorization working. Googling has so far failed me. Perhaps someone on this list can clue me in... Have you run the server in debug mode as suggested in the FAQ, README, "man" page, etc..? users file has the following: DEFAULT Service-Type == NAS-Prompt-User Service-Type := NAS-Prompt-User, Cisco-AVPair += "shell:priv-lvl=15" If those attributes are being sent back to the NAS, then fix the NAS so that it follows the instructions sent by the RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Jefferson K Davis Technology Information Systems Manager Standard School District 1200 North Chester Ave Bakersfield, CA 93308 USA 661.392.2110 ext 120 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Cisco switch and authorization.
19:23:13: RADIUS: no appropriate authorization type for user. I am all but certain this is a self-inflicted wound. It is. Have a look at your aaa configuration. Do you see an authorization line anywhere? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with Cisco switch and authorization.
Sorry - I'm a n00b to this project. Trying to get OpenLDAP-based authentication working (well the auth DOES work) but cannot seem to get authorization working. Googling has so far failed me. Perhaps someone on this list can clue me in... users file has the following: DEFAULT Service-Type == NAS-Prompt-User Service-Type := NAS-Prompt-User, Cisco-AVPair += shell:priv-lvl=15 -- Jefferson K Davis Technology Information Systems Manager Standard School District 1200 North Chester Ave Bakersfield, CA 93308 USA 661.392.2110 ext 120 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
