07-31-2007 07:06 AM - edited 03-10-2019 03:18 PM
Hi,
Again I'm having some problems with AAA authorization to assign the correct privilege level to the users on my RADIUS server (FreeRadius).
I am currently updating all routers to do this authorization and I'm having problems because one of them has version 12.0(30)S2, which does not use the same commands.
This is the AAA configuration that I have working on the other routers:
aaa new-model
aaa group server radius RADIUSSERVERS
aaa authentication login AAA group RADIUSSERVERS local enable none
aaa authentication login CONSOLE local
aaa authentication ppp default group radius local
aaa authorization exec AAA group RADIUSSERVERS local none
aaa authorization network default group radius local
aaa authorization network AAA group RADIUSSERVERS local none
aaa accounting exec AAA start-stop group RADIUSSERVERS
aaa accounting network default start-stop group radius
aaa accounting network AAA start-stop group RADIUSSERVERS
aaa session-id common
...
line vty 0 4
session-timeout 5000
access-class 99 in
exec-timeout 5000 0
password 7 x
authorization exec AAA
login authentication AAA
transport input telnet
line vty 5 15
session-timeout 5000
access-class 99 in
exec-timeout 5000 0
password 7 x
authorization exec AAA
login authentication AAA
transport input telnet
This is the one that does not work (version IOS 12.0(30)S2):
aaa new-model
aaa authentication fail-message ^C
aaa authentication password-prompt Passcode:
aaa authentication username-prompt UserID:
aaa authentication login AAA radius local enable none
aaa authentication login CONSOLE local
aaa authorization exec AAA radius local none
aaa authorization network default radius local
aaa authorization network AAA radius local none
...
radius-server host x.x.x.x auth-port 8812 acct-port 8813
radius-server retransmit 2
radius-server key 7 X
...
line vty 0 4
session-timeout 5
access-class 99 in
exec-timeout 5 0
password 7 x
authorization exec AAA
login authentication AAA
line vty 5 15
session-timeout 5
access-class 99 in
exec-timeout 5 0
password 7 x
authorization exec AAA
login authentication AAA
The radius server is configured to be the same, although I use the group command with the new version and "radius-server" with the older version.
Can anyone tell me what I'm doing wrong?
Thank you,
Paulo
07-31-2007 07:29 AM
Have you thought about setting up and using an ACS server? You can then use the command authorization set and use this either per user or group. It is a much more granular control of commands allowed and much easier to implement...of course then there is the cost of an ACS server.
Just another possibilty.
07-31-2007 07:34 AM
I would prefer to work with ACS yes, but unfortunately I don't decide that in my company.
Also, I think the RADIUS server i'm using is not the problem since I have routers with IOS version 12.4(6) which are working fine with the config I showed.
Regards,
Paulo
07-31-2007 07:49 AM
Do you get any hits on radius server?
try enabling following debugs :
debug aaa authentication
debug aaa authorization
debug radius
This is give more detail on whats happening.
~Rohit
07-31-2007 08:08 AM
Thanks. Looking at the debugs solved the problem.
I was so convinced that I had set the right privilege level on the server that I didn't even check it. It worked on the other routers because their commands were set to lower privilege levels.
That was the problem.
Thanks for everything and sorry for bugging you with such a simple problem.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: