subject:"Re\: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius"

Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

2004-07-12 Thread Robert Banniza

Kenneth offered the magic bullet that fixed this. Now on to Juniper ERX
auth. and ACL'ing down access to routers. Thanks for all the help guys!
I really appreciate it!

Robert

On Mon, Jul 12, 2004 at 02:37:24PM -0600, Kenneth Grady wrote:
> In your users file (line 153 or 217) try adding:
>   Service-Type = Administrative-User,
> 
> On Mon, 2004-07-12 at 13:42, Robert Banniza wrote:
> > Here is what we are seeing nowThe secret has been set and will allow
> > us to login but we are not getting any privileged level:
> > 
> > 
> > rad_recv: Access-Request packet from host 67.106.198.67:1645, id=15,
> > length=75
> > NAS-IP-Address = 10.1.1.31
> > NAS-Port = 1
> > NAS-Port-Type = Virtual
> > User-Name = "homer"
> > Calling-Station-Id = "10.1.1.162"
> > User-Password = "t3stm3"
> > modcall: entering group authorize for request 0
> >   modcall[authorize]: module "preprocess" returns ok for request 0
> >   modcall[authorize]: module "chap" returns noop for request 0
> >   modcall[authorize]: module "eap" returns noop for request 0
> > rlm_realm: No '@' in User-Name = "homer", looking up realm NULL
> > rlm_realm: No such realm "NULL"
> >   modcall[authorize]: module "suffix" returns noop for request 0
> > users: Matched DEFAULT at 152
> > users: Matched DEFAULT at 216
> >   modcall[authorize]: module "files" returns ok for request 0
> >   modcall[authorize]: module "mschap" returns noop for request 0
> > rlm_ldap: - authorize
> > rlm_ldap: performing user authorization for homer
> > radius_xlat:  '(&(ObjectClass=posixAccount)(uid=homer))'
> > radius_xlat:  'ou=people,dc=test,dc=net'
> > ldap_get_conn: Got Id: 0
> > rlm_ldap: attempting LDAP reconnection
> > rlm_ldap: (re)connect to jag.test.net:389, authentication 0
> > rlm_ldap: bind as / to jag.test.net:389
> > rlm_ldap: waiting for bind result ...
> > rlm_ldap: performing search in ou=people,dc=test,dc=net, with filter
> > (&(ObjectClass=posixAccount)(uid=homer))
> > rlm_ldap: looking for check items in directory...
> > rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21
> > rlm_ldap: looking for reply items in directory...
> > rlm_ldap: extracted attribute Juniper-Local-User-Name from generic item
> > Juniper-Local-User-Name := tier1
> > rlm_ldap: extracted attribute Cisco-AVPair from generic item
> > Cisco-AVPair := "shell:priv-lvl=15"
> > rlm_ldap: user homer authorized to use remote access
> > ldap_release_conn: Release Id: 0
> >   modcall[authorize]: module "ldap" returns ok for request 0
> > modcall: group authorize returns ok for request 0
> >   rad_check_password:  Found Auth-Type LDAP
> > auth: type "LDAP"
> > modcall: entering group Auth-Type for request 0
> > rlm_ldap: - authenticate
> > rlm_ldap: login attempt by "homer" with password "t3stm3"
> > rlm_ldap: user DN: uid=homer,ou=people,dc=test,dc=net
> > rlm_ldap: (re)connect to jag.test.net:389, authentication 1
> > rlm_ldap: bind as uid=homer,ou=people,dc=test,dc=net/t3stm3 to
> > jag.test.net:389
> > rlm_ldap: waiting for bind result ...
> > rlm_ldap: user homer authenticated succesfully
> >   modcall[authenticate]: module "ldap" returns ok for request 0
> > modcall: group Auth-Type returns ok for request 0
> > Sending Access-Accept of id 15 to 67.106.198.67:1645
> > Juniper-Local-User-Name := "tier1"
> > Cisco-AVPair := "shell:priv-lvl=15"
> > Finished request 0
> > Going to the next request
> > --- Walking the entire request list ---
> > Waking up in 6 seconds...
> > --- Walking the entire request list ---
> > Cleaning up request 0 ID 15 with timestamp 40f2e98a
> > Nothing to do.  Sleeping until we see a request.
> > 
> > 
> > 
> > 
> > 
> > On Mon, Jul 12, 2004 at 02:29:28PM -0400, Dustin Doris wrote:
> > > You need to do what the debug message said and make sure your shared
> > > secret is correct.  Check clients.conf in your raddb directory.
> > > 
> > > WARNING: Unprintable characters in the password. ?  Double-check the
> > > shared secret on the server and the NAS!
> > > 
> > > 
> > > On Mon, 12 Jul 2004, Robert Banniza wrote:
> > > 
> > > > Here is what radiusd -X -A provides:
> > > >
> > > > rad_recv: Access-Request packet from host 67.106.198.67:1645, id=10,
> > > > length=75
> > > > NAS-IP-Address = 11.9.67.177
> > > > NAS-Port = 1
> > > > NAS-Port-Type = Virtual
> > > > User-Name = "homer"
> > > > Calling-Station-Id = "10.1.1.162"
> > > > User-Password = "\334\303A_-VB/VJ N\017\230\217\317"
> > > > modcall: entering group authorize for request 0
> > > >   modcall[authorize]: module "preprocess" returns ok for request 0
> > > >   modcall[authorize]: module "chap" returns noop for request 0
> > > >   modcall[authorize]: module "eap" returns noop for request 0
> > > > rlm_realm: No '@' in User-Name = "homer", looking up realm NULL
> > > > rlm_realm: No such realm "NULL"
> > > >   modcall[authorize]: module "suffix" returns noop for

Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

2004-07-12 Thread Dustin Doris

Unfortunately, I can't help with that one.  It looks like you are using
the reply attribute of Cisco-AVPair := "shell:priv-lvl=15".  That reply
attribute is being sent back, so you'll have to check the Cisco docs to
see if its all setup correctly on the 29xx.

Found this on google, may help you with configuring the router.

http://www.mail-archive.com/[EMAIL PROTECTED]/msg18034.html

Regards

On Mon, 12 Jul 2004, Robert Banniza wrote:

> Here is what we are seeing nowThe secret has been set and will allow
> us to login but we are not getting any privileged level:
>
>
> rad_recv: Access-Request packet from host 67.106.198.67:1645, id=15,
> length=75
> NAS-IP-Address = 10.1.1.31
> NAS-Port = 1
> NAS-Port-Type = Virtual
> User-Name = "homer"
> Calling-Station-Id = "10.1.1.162"
> User-Password = "t3stm3"
> modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok for request 0
>   modcall[authorize]: module "chap" returns noop for request 0
>   modcall[authorize]: module "eap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "homer", looking up realm NULL
> rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 0
> users: Matched DEFAULT at 152
> users: Matched DEFAULT at 216
>   modcall[authorize]: module "files" returns ok for request 0
>   modcall[authorize]: module "mschap" returns noop for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for homer
> radius_xlat:  '(&(ObjectClass=posixAccount)(uid=homer))'
> radius_xlat:  'ou=people,dc=test,dc=net'
> ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to jag.test.net:389, authentication 0
> rlm_ldap: bind as / to jag.test.net:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: performing search in ou=people,dc=test,dc=net, with filter
> (&(ObjectClass=posixAccount)(uid=homer))
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: extracted attribute Juniper-Local-User-Name from generic item
> Juniper-Local-User-Name := tier1
> rlm_ldap: extracted attribute Cisco-AVPair from generic item
> Cisco-AVPair := "shell:priv-lvl=15"
> rlm_ldap: user homer authorized to use remote access
> ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 0
> modcall: group authorize returns ok for request 0
>   rad_check_password:  Found Auth-Type LDAP
> auth: type "LDAP"
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "homer" with password "t3stm3"
> rlm_ldap: user DN: uid=homer,ou=people,dc=test,dc=net
> rlm_ldap: (re)connect to jag.test.net:389, authentication 1
> rlm_ldap: bind as uid=homer,ou=people,dc=test,dc=net/t3stm3 to
> jag.test.net:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: user homer authenticated succesfully
>   modcall[authenticate]: module "ldap" returns ok for request 0
> modcall: group Auth-Type returns ok for request 0
> Sending Access-Accept of id 15 to 67.106.198.67:1645
> Juniper-Local-User-Name := "tier1"
> Cisco-AVPair := "shell:priv-lvl=15"
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 15 with timestamp 40f2e98a
> Nothing to do.  Sleeping until we see a request.
>
>
>
>
>
> On Mon, Jul 12, 2004 at 02:29:28PM -0400, Dustin Doris wrote:
> > You need to do what the debug message said and make sure your shared
> > secret is correct.  Check clients.conf in your raddb directory.
> >
> > WARNING: Unprintable characters in the password. ?  Double-check the
> > shared secret on the server and the NAS!
> >
> >
> > On Mon, 12 Jul 2004, Robert Banniza wrote:
> >
> > > Here is what radiusd -X -A provides:
> > >
> > > rad_recv: Access-Request packet from host 67.106.198.67:1645, id=10,
> > > length=75
> > > NAS-IP-Address = 11.9.67.177
> > > NAS-Port = 1
> > > NAS-Port-Type = Virtual
> > > User-Name = "homer"
> > > Calling-Station-Id = "10.1.1.162"
> > > User-Password = "\334\303A_-VB/VJ N\017\230\217\317"
> > > modcall: entering group authorize for request 0
> > >   modcall[authorize]: module "preprocess" returns ok for request 0
> > >   modcall[authorize]: module "chap" returns noop for request 0
> > >   modcall[authorize]: module "eap" returns noop for request 0
> > > rlm_realm: No '@' in User-Name = "homer", looking up realm NULL
> > > rlm_realm: No such realm "NULL"
> > >   modcall[authorize]: module "suffix" returns noop for request 0
> > > users: Matched DEFAULT at 152
> > > users: Matched DEFAULT at 216
> > >   modcall[authorize]: module "files" returns ok for request 0
> >

Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

2004-07-12 Thread Robert Banniza

Here is what we are seeing nowThe secret has been set and will allow
us to login but we are not getting any privileged level:


rad_recv: Access-Request packet from host 67.106.198.67:1645, id=15,
length=75
NAS-IP-Address = 10.1.1.31
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "homer"
Calling-Station-Id = "10.1.1.162"
User-Password = "t3stm3"
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '@' in User-Name = "homer", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 152
users: Matched DEFAULT at 216
  modcall[authorize]: module "files" returns ok for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for homer
radius_xlat:  '(&(ObjectClass=posixAccount)(uid=homer))'
radius_xlat:  'ou=people,dc=test,dc=net'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to jag.test.net:389, authentication 0
rlm_ldap: bind as / to jag.test.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in ou=people,dc=test,dc=net, with filter
(&(ObjectClass=posixAccount)(uid=homer))
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: extracted attribute Juniper-Local-User-Name from generic item
Juniper-Local-User-Name := tier1
rlm_ldap: extracted attribute Cisco-AVPair from generic item
Cisco-AVPair := "shell:priv-lvl=15"
rlm_ldap: user homer authorized to use remote access
ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "homer" with password "t3stm3"
rlm_ldap: user DN: uid=homer,ou=people,dc=test,dc=net
rlm_ldap: (re)connect to jag.test.net:389, authentication 1
rlm_ldap: bind as uid=homer,ou=people,dc=test,dc=net/t3stm3 to
jag.test.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: user homer authenticated succesfully
  modcall[authenticate]: module "ldap" returns ok for request 0
modcall: group Auth-Type returns ok for request 0
Sending Access-Accept of id 15 to 67.106.198.67:1645
Juniper-Local-User-Name := "tier1"
Cisco-AVPair := "shell:priv-lvl=15"
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 15 with timestamp 40f2e98a
Nothing to do.  Sleeping until we see a request.





On Mon, Jul 12, 2004 at 02:29:28PM -0400, Dustin Doris wrote:
> You need to do what the debug message said and make sure your shared
> secret is correct.  Check clients.conf in your raddb directory.
> 
> WARNING: Unprintable characters in the password. ?  Double-check the
> shared secret on the server and the NAS!
> 
> 
> On Mon, 12 Jul 2004, Robert Banniza wrote:
> 
> > Here is what radiusd -X -A provides:
> >
> > rad_recv: Access-Request packet from host 67.106.198.67:1645, id=10,
> > length=75
> > NAS-IP-Address = 11.9.67.177
> > NAS-Port = 1
> > NAS-Port-Type = Virtual
> > User-Name = "homer"
> > Calling-Station-Id = "10.1.1.162"
> > User-Password = "\334\303A_-VB/VJ N\017\230\217\317"
> > modcall: entering group authorize for request 0
> >   modcall[authorize]: module "preprocess" returns ok for request 0
> >   modcall[authorize]: module "chap" returns noop for request 0
> >   modcall[authorize]: module "eap" returns noop for request 0
> > rlm_realm: No '@' in User-Name = "homer", looking up realm NULL
> > rlm_realm: No such realm "NULL"
> >   modcall[authorize]: module "suffix" returns noop for request 0
> > users: Matched DEFAULT at 152
> > users: Matched DEFAULT at 216
> >   modcall[authorize]: module "files" returns ok for request 0
> >   modcall[authorize]: module "mschap" returns noop for request 0
> > rlm_ldap: - authorize
> > rlm_ldap: performing user authorization for homer
> > radius_xlat:  '(&(ObjectClass=posixAccount)(uid=homer))'
> > radius_xlat:  'ou=people,dc=test,dc=net'
> > ldap_get_conn: Got Id: 0
> > rlm_ldap: attempting LDAP reconnection
> > rlm_ldap: (re)connect to jag.test.net:389, authentication 0
> > rlm_ldap: bind as / to jag.test.net:389
> > rlm_ldap: waiting for bind result ...
> > rlm_ldap: performing search in ou=people,dc=test,dc=net, with filter
> > (&(ObjectClass=posixAccount)(uid=homer))
> > rlm_ldap: looking for check items in di

Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

2004-07-12 Thread Dustin Doris

You need to do what the debug message said and make sure your shared
secret is correct.  Check clients.conf in your raddb directory.

WARNING: Unprintable characters in the password. ?  Double-check the
shared secret on the server and the NAS!


On Mon, 12 Jul 2004, Robert Banniza wrote:

> Here is what radiusd -X -A provides:
>
> rad_recv: Access-Request packet from host 67.106.198.67:1645, id=10,
> length=75
> NAS-IP-Address = 11.9.67.177
> NAS-Port = 1
> NAS-Port-Type = Virtual
> User-Name = "homer"
> Calling-Station-Id = "10.1.1.162"
> User-Password = "\334\303A_-VB/VJ N\017\230\217\317"
> modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok for request 0
>   modcall[authorize]: module "chap" returns noop for request 0
>   modcall[authorize]: module "eap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "homer", looking up realm NULL
> rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 0
> users: Matched DEFAULT at 152
> users: Matched DEFAULT at 216
>   modcall[authorize]: module "files" returns ok for request 0
>   modcall[authorize]: module "mschap" returns noop for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for homer
> radius_xlat:  '(&(ObjectClass=posixAccount)(uid=homer))'
> radius_xlat:  'ou=people,dc=test,dc=net'
> ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to jag.test.net:389, authentication 0
> rlm_ldap: bind as / to jag.test.net:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: performing search in ou=people,dc=test,dc=net, with filter
> (&(ObjectClass=posixAccount)(uid=homer))
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: extracted attribute Juniper-Local-User-Name from generic item
> Juniper-Local-User-Name := tier1
> rlm_ldap: extracted attribute Cisco-AVPair from generic item
> Cisco-AVPair := "shell:priv-lvl=15"
> rlm_ldap: user homer authorized to use remote access
> ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 0
> modcall: group authorize returns ok for request 0
>   rad_check_password:  Found Auth-Type LDAP
> auth: type "LDAP"
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "homer" with password "ÜÃA_-VB/VJ N???Ï"
> rlm_ldap: user DN: uid=homer,ou=people,dc=test,dc=net
> rlm_ldap: (re)connect to jag.test.net:389, authentication 1
> rlm_ldap: bind as uid=homer,ou=people,dc=test,dc=net/ÜÃA_-VB/VJ N???Ï
> to jag.test.net:389
> rlm_ldap: waiting for bind result ...
>   modcall[authenticate]: module "ldap" returns reject for request 0
> modcall: group Auth-Type returns reject for request 0
> auth: Failed to validate the user.
>   WARNING: Unprintable characters in the password. ?  Double-check the
> shared secret on the server and the NAS!
> Delaying request 0 for 1 seconds
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Sending Access-Reject of id 10 to 67.106.198.67:1645
> Juniper-Local-User-Name := "tier1"
> Cisco-AVPair := "shell:priv-lvl=15"
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 10 with timestamp 40f2cbda
> Nothing to do.  Sleeping until we see a request.
>
>
> On Mon, Jul 12, 2004 at 12:46:46PM -0400, Dustin Doris wrote:
> > What about radiusd -x.  Run Freeradius in debug mode.
> >
> > On Sun, 11 Jul 2004, Robert Banniza wrote:
> >
> > > Here is the debug output:
> > >
> > > 2d04h: AAA/MEMORY: create_user (0x20F7E20) user='' ruser='' port='tty1'
> > > +rem_addr='10.1.1.162' authen_type=ASCII service=
> > > LOGIN priv=1
> > > 2d04h: AAA/AUTHEN/START (1821432037): port='tty1' list='' action=LOGIN
> > > +service=LOGIN
> > > 2d04h: AAA/AUTHEN/START (1821432037): using "default" list
> > > 2d04h: AAA/AUTHEN/START (1821432037): Method=radius (radius)
> > > 2d04h: AAA/AUTHEN (1821432037): status = GETUSER
> > > 2d04h: AAA/AUTHEN/CONT (1821432037): continue_login (user='(undef)')
> > > 2d04h: AAA/AUTHEN (1821432037): status = GETUSER
> > > 2d04h: AAA/AUTHEN (1821432037): Method=radius (radius)
> > > 2d04h: AAA/AUTHEN (1821432037): status = GETPASS
> > > 2d04h: AAA/AUTHEN/CONT (1821432037): continue_login (user='homer')
> > > 2d04h: AAA/AUTHEN (1821432037): status = GETPASS
> > > 2d04h: AAA/AUTHEN (1821432037): Method=radius (radius)
> > > 2d04h: AAA/AUTHEN (1821432037): status = PASS
> > > 2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): Port='tty1' list=''
> > > service=EXEC
> > > 2d04h: AAA/AUTHOR/EXEC: tty1 (3720401710) user='homer'
> > > 2d04h:

Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

2004-07-12 Thread Robert Banniza

Here is what radiusd -X -A provides:

rad_recv: Access-Request packet from host 67.106.198.67:1645, id=10,
length=75
NAS-IP-Address = 11.9.67.177
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "homer"
Calling-Station-Id = "10.1.1.162"
User-Password = "\334\303A_-VB/VJ N\017\230\217\317"
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '@' in User-Name = "homer", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 152
users: Matched DEFAULT at 216
  modcall[authorize]: module "files" returns ok for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for homer
radius_xlat:  '(&(ObjectClass=posixAccount)(uid=homer))'
radius_xlat:  'ou=people,dc=test,dc=net'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to jag.test.net:389, authentication 0
rlm_ldap: bind as / to jag.test.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in ou=people,dc=test,dc=net, with filter
(&(ObjectClass=posixAccount)(uid=homer))
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: extracted attribute Juniper-Local-User-Name from generic item
Juniper-Local-User-Name := tier1
rlm_ldap: extracted attribute Cisco-AVPair from generic item
Cisco-AVPair := "shell:priv-lvl=15"
rlm_ldap: user homer authorized to use remote access
ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "homer" with password "ÜÃA_-VB/VJ N???Ï"
rlm_ldap: user DN: uid=homer,ou=people,dc=test,dc=net
rlm_ldap: (re)connect to jag.test.net:389, authentication 1
rlm_ldap: bind as uid=homer,ou=people,dc=test,dc=net/ÜÃA_-VB/VJ N???Ï
to jag.test.net:389
rlm_ldap: waiting for bind result ...
  modcall[authenticate]: module "ldap" returns reject for request 0
modcall: group Auth-Type returns reject for request 0
auth: Failed to validate the user.
  WARNING: Unprintable characters in the password. ?  Double-check the
shared secret on the server and the NAS!
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 10 to 67.106.198.67:1645
Juniper-Local-User-Name := "tier1"
Cisco-AVPair := "shell:priv-lvl=15"
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 10 with timestamp 40f2cbda
Nothing to do.  Sleeping until we see a request.


On Mon, Jul 12, 2004 at 12:46:46PM -0400, Dustin Doris wrote:
> What about radiusd -x.  Run Freeradius in debug mode.
> 
> On Sun, 11 Jul 2004, Robert Banniza wrote:
> 
> > Here is the debug output:
> >
> > 2d04h: AAA/MEMORY: create_user (0x20F7E20) user='' ruser='' port='tty1'
> > +rem_addr='10.1.1.162' authen_type=ASCII service=
> > LOGIN priv=1
> > 2d04h: AAA/AUTHEN/START (1821432037): port='tty1' list='' action=LOGIN
> > +service=LOGIN
> > 2d04h: AAA/AUTHEN/START (1821432037): using "default" list
> > 2d04h: AAA/AUTHEN/START (1821432037): Method=radius (radius)
> > 2d04h: AAA/AUTHEN (1821432037): status = GETUSER
> > 2d04h: AAA/AUTHEN/CONT (1821432037): continue_login (user='(undef)')
> > 2d04h: AAA/AUTHEN (1821432037): status = GETUSER
> > 2d04h: AAA/AUTHEN (1821432037): Method=radius (radius)
> > 2d04h: AAA/AUTHEN (1821432037): status = GETPASS
> > 2d04h: AAA/AUTHEN/CONT (1821432037): continue_login (user='homer')
> > 2d04h: AAA/AUTHEN (1821432037): status = GETPASS
> > 2d04h: AAA/AUTHEN (1821432037): Method=radius (radius)
> > 2d04h: AAA/AUTHEN (1821432037): status = PASS
> > 2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): Port='tty1' list=''
> > service=EXEC
> > 2d04h: AAA/AUTHOR/EXEC: tty1 (3720401710) user='homer'
> > 2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): send AV service=shell
> > 2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): send AV cmd*
> > 2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): found list "default"
> > 2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): Method=radius (radius)
> > 2d04h: AAA/AUTHOR (3720401710): Post authorization status = FAIL
> > 2d04h: AAA/AUTHOR/EXEC: Authorization FAILED
> > 2d04h: AAA/MEMORY: free_user (0x20F7E20) user='homer' ruser=''
> > port='tty1'
> > +rem_addr='10.1.1.162' authen_ty

Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

2004-07-12 Thread Dustin Doris

What about radiusd -x.  Run Freeradius in debug mode.

On Sun, 11 Jul 2004, Robert Banniza wrote:

> Here is the debug output:
>
> 2d04h: AAA/MEMORY: create_user (0x20F7E20) user='' ruser='' port='tty1'
> +rem_addr='10.1.1.162' authen_type=ASCII service=
> LOGIN priv=1
> 2d04h: AAA/AUTHEN/START (1821432037): port='tty1' list='' action=LOGIN
> +service=LOGIN
> 2d04h: AAA/AUTHEN/START (1821432037): using "default" list
> 2d04h: AAA/AUTHEN/START (1821432037): Method=radius (radius)
> 2d04h: AAA/AUTHEN (1821432037): status = GETUSER
> 2d04h: AAA/AUTHEN/CONT (1821432037): continue_login (user='(undef)')
> 2d04h: AAA/AUTHEN (1821432037): status = GETUSER
> 2d04h: AAA/AUTHEN (1821432037): Method=radius (radius)
> 2d04h: AAA/AUTHEN (1821432037): status = GETPASS
> 2d04h: AAA/AUTHEN/CONT (1821432037): continue_login (user='homer')
> 2d04h: AAA/AUTHEN (1821432037): status = GETPASS
> 2d04h: AAA/AUTHEN (1821432037): Method=radius (radius)
> 2d04h: AAA/AUTHEN (1821432037): status = PASS
> 2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): Port='tty1' list=''
> service=EXEC
> 2d04h: AAA/AUTHOR/EXEC: tty1 (3720401710) user='homer'
> 2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): send AV service=shell
> 2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): send AV cmd*
> 2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): found list "default"
> 2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): Method=radius (radius)
> 2d04h: AAA/AUTHOR (3720401710): Post authorization status = FAIL
> 2d04h: AAA/AUTHOR/EXEC: Authorization FAILED
> 2d04h: AAA/MEMORY: free_user (0x20F7E20) user='homer' ruser=''
> port='tty1'
> +rem_addr='10.1.1.162' authen_type=ASCII servi
> ce=LOGIN priv=1
> Soutlake#2#
> Soutlake#2#
> Soutlake#2#
> Soutlake#2#
> Soutlake#2#
> Soutlake#2#
> Soutlake#2#
> Soutlake#2#
> Soutlake#2#
> Soutlake#2#
> Soutlake#2#
> 2d04h: AAA: parse name=tty1 idb type=-1 tty=-1
> 2d04h: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1
> +channel=0
> 2d04h: AAA/MEMORY: create_user (0x20F7C0C) user='' ruser='' port='tty1'
> +rem_addr='10.1.1.162' authen_type=ASCII service=
> LOGIN priv=1
> 2d04h: AAA/AUTHEN/START (2535633014): port='tty1' list='' action=LOGIN
> +service=LOGIN
> 2d04h: AAA/AUTHEN/START (2535633014): using "default" list
> 2d04h: AAA/AUTHEN/START (2535633014): Method=radius (radius)
> 2d04h: AAA/AUTHEN (2535633014): status = GETUSER
> 2d04h: AAA/AUTHEN/CONT (2535633014): continue_login (user='(undef)')
> 2d04h: AAA/AUTHEN (2535633014): status = GETUSER
> 2d04h: AAA/AUTHEN (2535633014): Method=radius (radius)
> 2d04h: AAA/AUTHEN (2535633014): status = GETPASS
> 2d04h: AAA/AUTHEN/CONT (2535633014): continue_login (user='jessica')
> 2d04h: AAA/AUTHEN (2535633014): status = GETPASS
> 2d04h: AAA/AUTHEN (2535633014): Method=radius (radius)
> 2d04h: AAA/AUTHEN (2535633014): status = PASS
> 2d04h: tty1 AAA/AUTHOR/EXEC (1601631891): Port='tty1' list=''
> service=EXEC
> 2d04h: AAA/AUTHOR/EXEC: tty1 (1601631891) user='jessica'
> 2d04h: tty1 AAA/AUTHOR/EXEC (1601631891): send AV service=shell
> 2d04h: tty1 AAA/AUTHOR/EXEC (1601631891): send AV cmd*
> 2d04h: tty1 AAA/AUTHOR/EXEC (1601631891): found list "default"
> 2d04h: tty1 AAA/AUTHOR/EXEC (1601631891): Method=radius (radius)
> 2d04h: AAA/AUTHOR (1601631891): Post authorization status = FAIL
> 2d04h: AAA/AUTHOR/EXEC: Authorization FAILED
> 2d04h: AAA/MEMORY: free_user (0x20F7C0C) user='jessica' ruser=''
> port='tty1'
> +rem_addr='10.1.1.162' authen_type=ASCII ser
> vice=LOGIN priv=1
>
> On Fri, Jul 09, 2004 at 12:42:05PM -0400, Dustin Doris wrote:
> > What is the debug output?  What happens when you try to login to the
> > router?  User denied?
> >
> > On Fri, 9 Jul 2004, Robert Banniza wrote:
> >
> > > Guys,
> > > We are trying to allow users to authenticate to Cisco 26xx routers using
> > > Freeradius with the rlm_ldap module (OpenLDAP). We would like some of
> > > these users to be able to log in with enable privileges. The following
> > > is what we have done to try this with no avail. The following is a
> > > sample ldif entry:
> > >
> > > #
> > > dn: uid=homer, ou=people, dc=test, dc=net
> > > objectclass: person
> > > objectclass: radiusprofile
> > > objectclass: uidObject
> > > objectClass: inetOrgPerson
> > > objectClass: posixAccount
> > > objectClass: extensibleObject
> > > cn: Homer Simpson
> > > sn: Simpson
> > > loginShell: /bin/bash
> > > userpassword: {SSHA}fghkjfghkhgkfhgrofZyn2u9yiAAxbMP
> > > uidnumber: 2001
> > > gidnumber: 20
> > > homeDirectory: /home/homer
> > > uid: homer
> > > shadowLastChange: 10877
> > > shadowMin: 0
> > > shadowMax: 99
> > > shadowWarning: 7
> > > shadowInactive: -1
> > > shadowExpire: -1
> > > shadowFlag: 0
> > > radiusAuthType: LDAP
> > > radiusReplyItem: Juniper-Local-User-Name := tier1
> > > radiusReplyItem: Cisco-AVPair := "shell:priv-lvl=15"
> > > radiusprofileDN: uid=homer, ou=people, dc=test, dc=net
> > > #
> > >
> > > Th

Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

2004-07-11 Thread Robert Banniza

Here is the debug output:

2d04h: AAA/MEMORY: create_user (0x20F7E20) user='' ruser='' port='tty1'
+rem_addr='10.1.1.162' authen_type=ASCII service=
LOGIN priv=1
2d04h: AAA/AUTHEN/START (1821432037): port='tty1' list='' action=LOGIN
+service=LOGIN
2d04h: AAA/AUTHEN/START (1821432037): using "default" list
2d04h: AAA/AUTHEN/START (1821432037): Method=radius (radius)
2d04h: AAA/AUTHEN (1821432037): status = GETUSER
2d04h: AAA/AUTHEN/CONT (1821432037): continue_login (user='(undef)')
2d04h: AAA/AUTHEN (1821432037): status = GETUSER
2d04h: AAA/AUTHEN (1821432037): Method=radius (radius)
2d04h: AAA/AUTHEN (1821432037): status = GETPASS
2d04h: AAA/AUTHEN/CONT (1821432037): continue_login (user='homer')
2d04h: AAA/AUTHEN (1821432037): status = GETPASS
2d04h: AAA/AUTHEN (1821432037): Method=radius (radius)
2d04h: AAA/AUTHEN (1821432037): status = PASS
2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): Port='tty1' list=''
service=EXEC
2d04h: AAA/AUTHOR/EXEC: tty1 (3720401710) user='homer'
2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): send AV service=shell
2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): send AV cmd*
2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): found list "default"
2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): Method=radius (radius)
2d04h: AAA/AUTHOR (3720401710): Post authorization status = FAIL
2d04h: AAA/AUTHOR/EXEC: Authorization FAILED
2d04h: AAA/MEMORY: free_user (0x20F7E20) user='homer' ruser=''
port='tty1'
+rem_addr='10.1.1.162' authen_type=ASCII servi
ce=LOGIN priv=1
Soutlake#2#
Soutlake#2#
Soutlake#2#
Soutlake#2#
Soutlake#2#
Soutlake#2#
Soutlake#2#
Soutlake#2#
Soutlake#2#
Soutlake#2#
Soutlake#2#
2d04h: AAA: parse name=tty1 idb type=-1 tty=-1
2d04h: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1
+channel=0
2d04h: AAA/MEMORY: create_user (0x20F7C0C) user='' ruser='' port='tty1'
+rem_addr='10.1.1.162' authen_type=ASCII service=
LOGIN priv=1
2d04h: AAA/AUTHEN/START (2535633014): port='tty1' list='' action=LOGIN
+service=LOGIN
2d04h: AAA/AUTHEN/START (2535633014): using "default" list
2d04h: AAA/AUTHEN/START (2535633014): Method=radius (radius)
2d04h: AAA/AUTHEN (2535633014): status = GETUSER
2d04h: AAA/AUTHEN/CONT (2535633014): continue_login (user='(undef)')
2d04h: AAA/AUTHEN (2535633014): status = GETUSER
2d04h: AAA/AUTHEN (2535633014): Method=radius (radius)
2d04h: AAA/AUTHEN (2535633014): status = GETPASS
2d04h: AAA/AUTHEN/CONT (2535633014): continue_login (user='jessica')
2d04h: AAA/AUTHEN (2535633014): status = GETPASS
2d04h: AAA/AUTHEN (2535633014): Method=radius (radius)
2d04h: AAA/AUTHEN (2535633014): status = PASS
2d04h: tty1 AAA/AUTHOR/EXEC (1601631891): Port='tty1' list=''
service=EXEC
2d04h: AAA/AUTHOR/EXEC: tty1 (1601631891) user='jessica'
2d04h: tty1 AAA/AUTHOR/EXEC (1601631891): send AV service=shell
2d04h: tty1 AAA/AUTHOR/EXEC (1601631891): send AV cmd*
2d04h: tty1 AAA/AUTHOR/EXEC (1601631891): found list "default"
2d04h: tty1 AAA/AUTHOR/EXEC (1601631891): Method=radius (radius)
2d04h: AAA/AUTHOR (1601631891): Post authorization status = FAIL
2d04h: AAA/AUTHOR/EXEC: Authorization FAILED
2d04h: AAA/MEMORY: free_user (0x20F7C0C) user='jessica' ruser=''
port='tty1'
+rem_addr='10.1.1.162' authen_type=ASCII ser
vice=LOGIN priv=1

On Fri, Jul 09, 2004 at 12:42:05PM -0400, Dustin Doris wrote:
> What is the debug output?  What happens when you try to login to the
> router?  User denied?
> 
> On Fri, 9 Jul 2004, Robert Banniza wrote:
> 
> > Guys,
> > We are trying to allow users to authenticate to Cisco 26xx routers using
> > Freeradius with the rlm_ldap module (OpenLDAP). We would like some of
> > these users to be able to log in with enable privileges. The following
> > is what we have done to try this with no avail. The following is a
> > sample ldif entry:
> >
> > #
> > dn: uid=homer, ou=people, dc=test, dc=net
> > objectclass: person
> > objectclass: radiusprofile
> > objectclass: uidObject
> > objectClass: inetOrgPerson
> > objectClass: posixAccount
> > objectClass: extensibleObject
> > cn: Homer Simpson
> > sn: Simpson
> > loginShell: /bin/bash
> > userpassword: {SSHA}fghkjfghkhgkfhgrofZyn2u9yiAAxbMP
> > uidnumber: 2001
> > gidnumber: 20
> > homeDirectory: /home/homer
> > uid: homer
> > shadowLastChange: 10877
> > shadowMin: 0
> > shadowMax: 99
> > shadowWarning: 7
> > shadowInactive: -1
> > shadowExpire: -1
> > shadowFlag: 0
> > radiusAuthType: LDAP
> > radiusReplyItem: Juniper-Local-User-Name := tier1
> > radiusReplyItem: Cisco-AVPair := "shell:priv-lvl=15"
> > radiusprofileDN: uid=homer, ou=people, dc=test, dc=net
> > #
> >
> > The following is what we have on the router:
> >
> > #
> > aaa new-model
> > aaa authentication login default group radius enable
> > aaa authorization exec default group radius
> >
> > enable secret password
> >
> > radius-server host 67.106.198.70 auth-port 1812 acct

RE: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

2004-07-09 Thread Heiden, John

Why don't you put the 2600/2900 into debug mode for RADIUS?


John

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Dustin
Doris
Sent: Friday, July 09, 2004 3:36 PM
To: [EMAIL PROTECTED]
Subject: Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius


What about radiusd -x?

On Fri, 9 Jul 2004, Robert Banniza wrote:

> Here is what we are seeing when a user tries to login:
>
> % Authorization failed.
>
> Connection to host lost.
>
>
> On Fri, Jul 09, 2004 at 12:42:05PM -0400, Dustin Doris wrote:
> > What is the debug output?  What happens when you try to login to the
> > router?  User denied?
> >
> > On Fri, 9 Jul 2004, Robert Banniza wrote:
> >
> > > Guys,
> > > We are trying to allow users to authenticate to Cisco 26xx routers using
> > > Freeradius with the rlm_ldap module (OpenLDAP). We would like some of
> > > these users to be able to log in with enable privileges. The following
> > > is what we have done to try this with no avail. The following is a
> > > sample ldif entry:
> > >
> > > #
> > > dn: uid=homer, ou=people, dc=test, dc=net
> > > objectclass: person
> > > objectclass: radiusprofile
> > > objectclass: uidObject
> > > objectClass: inetOrgPerson
> > > objectClass: posixAccount
> > > objectClass: extensibleObject
> > > cn: Homer Simpson
> > > sn: Simpson
> > > loginShell: /bin/bash
> > > userpassword: {SSHA}fghkjfghkhgkfhgrofZyn2u9yiAAxbMP
> > > uidnumber: 2001
> > > gidnumber: 20
> > > homeDirectory: /home/homer
> > > uid: homer
> > > shadowLastChange: 10877
> > > shadowMin: 0
> > > shadowMax: 99
> > > shadowWarning: 7
> > > shadowInactive: -1
> > > shadowExpire: -1
> > > shadowFlag: 0
> > > radiusAuthType: LDAP
> > > radiusReplyItem: Juniper-Local-User-Name := tier1
> > > radiusReplyItem: Cisco-AVPair := "shell:priv-lvl=15"
> > > radiusprofileDN: uid=homer, ou=people, dc=test, dc=net
> > > #
> > >
> > > The following is what we have on the router:
> > >
> > > #
> > > aaa new-model
> > > aaa authentication login default group radius enable
> > > aaa authorization exec default group radius
> > >
> > > enable secret password
> > >
> > > radius-server host 67.106.198.70 auth-port 1812 acct-port 1813
> > > radius-server retransmit 3
> > > radius-server key testing123
> > > #
> > >
> > > What else are we missing? Any help would be appreciated.
> > >
> > > Robert
> > >
> > > -
> > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> > >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

2004-07-09 Thread Dustin Doris

What about radiusd -x?

On Fri, 9 Jul 2004, Robert Banniza wrote:

> Here is what we are seeing when a user tries to login:
>
> % Authorization failed.
>
> Connection to host lost.
>
>
> On Fri, Jul 09, 2004 at 12:42:05PM -0400, Dustin Doris wrote:
> > What is the debug output?  What happens when you try to login to the
> > router?  User denied?
> >
> > On Fri, 9 Jul 2004, Robert Banniza wrote:
> >
> > > Guys,
> > > We are trying to allow users to authenticate to Cisco 26xx routers using
> > > Freeradius with the rlm_ldap module (OpenLDAP). We would like some of
> > > these users to be able to log in with enable privileges. The following
> > > is what we have done to try this with no avail. The following is a
> > > sample ldif entry:
> > >
> > > #
> > > dn: uid=homer, ou=people, dc=test, dc=net
> > > objectclass: person
> > > objectclass: radiusprofile
> > > objectclass: uidObject
> > > objectClass: inetOrgPerson
> > > objectClass: posixAccount
> > > objectClass: extensibleObject
> > > cn: Homer Simpson
> > > sn: Simpson
> > > loginShell: /bin/bash
> > > userpassword: {SSHA}fghkjfghkhgkfhgrofZyn2u9yiAAxbMP
> > > uidnumber: 2001
> > > gidnumber: 20
> > > homeDirectory: /home/homer
> > > uid: homer
> > > shadowLastChange: 10877
> > > shadowMin: 0
> > > shadowMax: 99
> > > shadowWarning: 7
> > > shadowInactive: -1
> > > shadowExpire: -1
> > > shadowFlag: 0
> > > radiusAuthType: LDAP
> > > radiusReplyItem: Juniper-Local-User-Name := tier1
> > > radiusReplyItem: Cisco-AVPair := "shell:priv-lvl=15"
> > > radiusprofileDN: uid=homer, ou=people, dc=test, dc=net
> > > #
> > >
> > > The following is what we have on the router:
> > >
> > > #
> > > aaa new-model
> > > aaa authentication login default group radius enable
> > > aaa authorization exec default group radius
> > >
> > > enable secret password
> > >
> > > radius-server host 67.106.198.70 auth-port 1812 acct-port 1813
> > > radius-server retransmit 3
> > > radius-server key testing123
> > > #
> > >
> > > What else are we missing? Any help would be appreciated.
> > >
> > > Robert
> > >
> > > -
> > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> > >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

2004-07-09 Thread Robert Banniza

Here is what we are seeing when a user tries to login:

% Authorization failed.

Connection to host lost.


On Fri, Jul 09, 2004 at 12:42:05PM -0400, Dustin Doris wrote:
> What is the debug output?  What happens when you try to login to the
> router?  User denied?
> 
> On Fri, 9 Jul 2004, Robert Banniza wrote:
> 
> > Guys,
> > We are trying to allow users to authenticate to Cisco 26xx routers using
> > Freeradius with the rlm_ldap module (OpenLDAP). We would like some of
> > these users to be able to log in with enable privileges. The following
> > is what we have done to try this with no avail. The following is a
> > sample ldif entry:
> >
> > #
> > dn: uid=homer, ou=people, dc=test, dc=net
> > objectclass: person
> > objectclass: radiusprofile
> > objectclass: uidObject
> > objectClass: inetOrgPerson
> > objectClass: posixAccount
> > objectClass: extensibleObject
> > cn: Homer Simpson
> > sn: Simpson
> > loginShell: /bin/bash
> > userpassword: {SSHA}fghkjfghkhgkfhgrofZyn2u9yiAAxbMP
> > uidnumber: 2001
> > gidnumber: 20
> > homeDirectory: /home/homer
> > uid: homer
> > shadowLastChange: 10877
> > shadowMin: 0
> > shadowMax: 99
> > shadowWarning: 7
> > shadowInactive: -1
> > shadowExpire: -1
> > shadowFlag: 0
> > radiusAuthType: LDAP
> > radiusReplyItem: Juniper-Local-User-Name := tier1
> > radiusReplyItem: Cisco-AVPair := "shell:priv-lvl=15"
> > radiusprofileDN: uid=homer, ou=people, dc=test, dc=net
> > #
> >
> > The following is what we have on the router:
> >
> > #
> > aaa new-model
> > aaa authentication login default group radius enable
> > aaa authorization exec default group radius
> >
> > enable secret password
> >
> > radius-server host 67.106.198.70 auth-port 1812 acct-port 1813
> > radius-server retransmit 3
> > radius-server key testing123
> > #
> >
> > What else are we missing? Any help would be appreciated.
> >
> > Robert
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

2004-07-09 Thread Dustin Doris

What is the debug output?  What happens when you try to login to the
router?  User denied?

On Fri, 9 Jul 2004, Robert Banniza wrote:

> Guys,
> We are trying to allow users to authenticate to Cisco 26xx routers using
> Freeradius with the rlm_ldap module (OpenLDAP). We would like some of
> these users to be able to log in with enable privileges. The following
> is what we have done to try this with no avail. The following is a
> sample ldif entry:
>
> #
> dn: uid=homer, ou=people, dc=test, dc=net
> objectclass: person
> objectclass: radiusprofile
> objectclass: uidObject
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: extensibleObject
> cn: Homer Simpson
> sn: Simpson
> loginShell: /bin/bash
> userpassword: {SSHA}fghkjfghkhgkfhgrofZyn2u9yiAAxbMP
> uidnumber: 2001
> gidnumber: 20
> homeDirectory: /home/homer
> uid: homer
> shadowLastChange: 10877
> shadowMin: 0
> shadowMax: 99
> shadowWarning: 7
> shadowInactive: -1
> shadowExpire: -1
> shadowFlag: 0
> radiusAuthType: LDAP
> radiusReplyItem: Juniper-Local-User-Name := tier1
> radiusReplyItem: Cisco-AVPair := "shell:priv-lvl=15"
> radiusprofileDN: uid=homer, ou=people, dc=test, dc=net
> #
>
> The following is what we have on the router:
>
> #
> aaa new-model
> aaa authentication login default group radius enable
> aaa authorization exec default group radius
>
> enable secret password
>
> radius-server host 67.106.198.70 auth-port 1812 acct-port 1813
> radius-server retransmit 3
> radius-server key testing123
> #
>
> What else are we missing? Any help would be appreciated.
>
> Robert
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

RE: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

11 matches

Site Navigation

Mail list logo

Footer information