Cisco 3750 & Radius Authorization

Unanswered Question
Jul 21st, 2008

Hello,

I have some difficulties to implement AAA.

I'm trying to configure our cisco in a way to authenticate and authorize users, using our Radius server.

After authentication, this server should send an attribute to define the user privilege.

Here what I did:

<

username 1geob301

radius-server host 172.15.2.21 auth-port 1812 acct-port 1813 key Secret

radius-server source-ports 1645-1646

radius-server vsa send authentication

aaa new-model

aaa authentication login test-list group radius

aaa authorization exec test-list group radius

>

On the radius server, once the user is authenticated, the server send the attribute cisco-avpair = "shell:priv-lvl=15"

The authentication works. But I'm failing to configure correctly the authorization.

Here the debug trace:

01:40:38: AAA: parse name=tty1 idb type=-1 tty=-1

01:40:38: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0

01:40:38: AAA/MEMORY: create_user (0x3B91F78) user='NULL' ruser='NULL' ds0=0 port='tty1' rem_addr='172.16.30.68' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

01:40:38: AAA/AUTHEN/START (3767632247): port='tty1' list='test-list' action=LOGIN service=LOGIN

01:40:38: AAA/AUTHEN/START (3767632247): found list test-list

01:40:38: AAA/AUTHEN/START (3767632247): Method=radius (radius)

01:40:38: AAA/AUTHEN (3767632247): status = GETPASS

01:40:38: AAA/AUTHEN/CONT (3767632247): continue_login (user='1geob301')

01:40:38: AAA/AUTHEN (3767632247): status = GETPASS

01:40:38: AAA/AUTHEN (3767632247): Method=radius (radius)

01:40:39: AAA/AUTHEN (3767632247): status = PASS

01:40:39: tty1 AAA/AUTHOR/EXEC (2157384509): Port='tty1' list='test-list' service=EXEC

01:40:39: AAA/AUTHOR/EXEC: tty1 (2157384509) user='1geob301'

01:40:39: tty1 AAA/AUTHOR/EXEC (2157384509): send AV service=shell

01:40:39: tty1 AAA/AUTHOR/EXEC (2157384509): send AV cmd*

01:40:39: tty1 AAA/AUTHOR/EXEC (2157384509): found list "test-list"

01:40:39: tty1 AAA/AUTHOR/EXEC (2157384509): Method=radius (radius)

01:40:39: AAA/AUTHOR (2157384509): Post authorization status = FAIL

01:40:39: AAA/AUTHOR/EXEC: Authorization FAILED

Could you help me please ?

Thanks

Bruno

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
michael.leblanc Mon, 07/21/2008 - 16:55

Are you deliberately choosing not to do enable authentication via the RADIUS server?

I think your issue may have to do with the way you have configured the user profile on the RADIUS server.

With our configuration we do not see cisco-avpair = "shell:priv-lvl=15" being passed to the AAA client.

We see the IETF RADIUS Attribute 006 Service-Type being passed to the AAA client, with a value of "login-User" or "Administrative-User" depending on how we choose to configure the user profile.

If the user profile is set to "Login-User", the user will be prompted for the enable password after successfully providing the user password. An additional user profile will be required for user "$enab15$". The "$enab15$" user profile would not be configured to pass IETF RADIUS Attribute 006 Service-Type to the AAA client.

If the user profile is set to "Administrative-User", the user will proceed to enable mode after having provided the user password, without being prompted for the enable password.

bruno.geoffron Mon, 08/11/2008 - 01:12

Hello,

Thanks for your answer.

I found the solution, it was simply a mistake in my radius configuration.

Here the attribute i send after authentication:

Service-Type = NAS-Prompt-User

cisco-avpair = "shell:priv-lvl=15"

Here my cisco configuration:

radius-server host 172.15.2.21 auth-port 1812 acct-port 1813 key Secret

radius-server source-ports 1645-1646

radius-server vsa send authentication

aaa new-model

aaa authentication login test-list group radius

aaa authorization exec test-list group radius

line vty 0

authorization exec test-list

login authentication test-list

And it's working fine.

Regards,

Actions

This Discussion