Hi All, I am new to this free -radius usage, wanna setup radius on my company network for authentication and defining privilege level access on the network. I have gone through several mailing lists,docs on free radius site, whenever i issue authorization commands on the router i will be locked out on my NAS. I am using users file where i want simple authentication for few users and privilege level access.
Error condition.... Rmcrad#show ver Command authorization failed. Here is the details . 1. radiusd -x radiusd -x Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Initializing the thread pool... Listening on authentication *:1645 Listening on accounting *:1646 Ready to process requests. locally tested AAA for authentication authorization and accounting on router it works fine. while authentication works for the defined users in the users file. checked for /etc/passwd /etc/group /etc/users in radiusd.conf i am able to login to the nas it authenticates the users n password . Users definition "Arul" Auth-Type := Local, User-Password == "cisco" Reply-Message = "Hello, %u", cisco-avpair ="shell:priv-lvl=15" "vdhar" Auth-Type :=system Reply-Message = "Hello, %u", cisco-avpair ="shell:priv-lvl=1" "test" Auth-Type := Local, User-Password == "test123" Reply-Message = "Hello, %u", cisco-avpair ="shell:priv-lvl=15" Router Configuration aaa new-model aaa authentication login default group radius local aaa authentication login NO_AUTHEN none If i issue any authorization command aaa authorization exec local or aaa authorization exec default radius aaa authorization exec default group radius if-authenticated radius-server host 172.16.85.135 auth-port 1645 acct-port 1646 radius-server retransmit 3 radius-server key secret line con 0 exec-timeout 0 0 login authentication NO_AUTHEN transport input none line vty 0 4 exec-timeout 0 0 password cisco I will be locked out of the router and cannot perform any task. If any one helps me to figure out whtz the problem with authorization and any simple configuration which works out for the server based authentication would be highly appreciated. If need any more information from my side please let me know, which help you to figure out my problem. Please let me know if anybody helps me out on live chat on msn/yahoo Debug logs... 00:56:59: AAA: name=tty68 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=68 channel=0 00:56:59: AAA/MEMORY: create_user (0x81934100) user='' ruser='' port='tty68' rem_addr='172.16.85.100 ' authen_type=ASCII service=LOGIN priv=1 00:56:59: AAA/AUTHEN/START (169650279): port='tty68' list='' action=LOGIN service=LOGIN 00:56:59: AAA/AUTHEN/START (169650279): using "default" list 00:56:59: AAA/AUTHEN/START (169650279): Method=radius (radius) 00:56:59: AAA/AUTHEN (169650279): status = GETUSER 00:57:07: AAA/AUTHEN/CONT (169650279): continue_login (user='(undef)') 00:57:07: AAA/AUTHEN (169650279): status = GETUSER 00:57:07: AAA/AUTHEN (169650279): Method=radius (radius) 00:57:07: AAA/AUTHEN (169650279): status = GETPASS 00:57:09: AAA/AUTHEN/CONT (169650279): continue_login (user='cisco') 00:57:09: AAA/AUTHEN (169650279): status = GETPASS 00:57:09: AAA/AUTHEN (169650279): Method=radius (radius) 00:57:29: AAA/AUTHEN (169650279): status = ERROR 00:57:29: AAA/AUTHEN/START (151081203): port='tty68' list='' action=LOGIN service=LOGIN 00:57:29: AAA/AUTHEN/START (151081203): Restart 00:57:29: AAA/AUTHEN/START (151081203): Method=LOCAL 00:57:29: AAA/AUTHEN (151081203): status = GETPASS 00:57:29: AAA/AUTHEN/CONT (151081203): continue_login (user='cisco') 00:57:29: AAA/AUTHEN (151081203): status = GETPASS 00:57:29: AAA/AUTHEN/CONT (151081203): Method=LOCAL 00:57:29: AAA/AUTHEN (151081203): status = PASS 00:57:33: AAA/MEMORY: dup_user (0x81B00350) user='cisco' ruser='' port='tty68' rem_addr='172.16.85.1 00' authen_type=ASCII service=ENABLE priv=15 source='AAA dup enable' 00:57:33: AAA/AUTHEN/START (3234623993): port='tty68' list='' action=LOGIN service=ENABLE 00:57:33: AAA/AUTHEN/START (3234623993): non-console enable - default to enable password 00:57:33: AAA/AUTHEN/START (3234623993): Method=ENABLE 00:57:33: AAA/AUTHEN (3234623993): status = GETPASS 00:57:35: AAA/AUTHEN/CONT (3234623993): continue_login (user='(undef)') 00:57:35: AAA/AUTHEN (3234623993): status = GETPASS 00:57:35: AAA/AUTHEN/CONT (3234623993): Method=ENABLE 00:57:35: AAA/AUTHEN (3234623993): status = PASS 00:57:35: AAA/MEMORY: free_user (0x81B00350) user='' ruser='' port='tty68' rem_addr='172.16.85.100' authen_type=ASCII service=ENABLE priv=15 Regards Venugopal __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html