Cisco 3750 & Radius Authorization

Unanswered Question
Jul 21st, 2008
User Badges:

Hello,


I have some difficulties to implement AAA.

I'm trying to configure our cisco in a way to authenticate and authorize users, using our Radius server.


After authentication, this server should send an attribute to define the user privilege.


Here what I did:


<

username 1geob301


radius-server host 172.15.2.21 auth-port 1812 acct-port 1813 key Secret

radius-server source-ports 1645-1646

radius-server vsa send authentication


aaa new-model

aaa authentication login test-list group radius

aaa authorization exec test-list group radius

>


On the radius server, once the user is authenticated, the server send the attribute cisco-avpair = "shell:priv-lvl=15"


The authentication works. But I'm failing to configure correctly the authorization.


Here the debug trace:



01:40:38: AAA: parse name=tty1 idb type=-1 tty=-1

01:40:38: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0

01:40:38: AAA/MEMORY: create_user (0x3B91F78) user='NULL' ruser='NULL' ds0=0 port='tty1' rem_addr='172.16.30.68' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

01:40:38: AAA/AUTHEN/START (3767632247): port='tty1' list='test-list' action=LOGIN service=LOGIN

01:40:38: AAA/AUTHEN/START (3767632247): found list test-list

01:40:38: AAA/AUTHEN/START (3767632247): Method=radius (radius)

01:40:38: AAA/AUTHEN (3767632247): status = GETPASS

01:40:38: AAA/AUTHEN/CONT (3767632247): continue_login (user='1geob301')

01:40:38: AAA/AUTHEN (3767632247): status = GETPASS

01:40:38: AAA/AUTHEN (3767632247): Method=radius (radius)

01:40:39: AAA/AUTHEN (3767632247): status = PASS

01:40:39: tty1 AAA/AUTHOR/EXEC (2157384509): Port='tty1' list='test-list' service=EXEC

01:40:39: AAA/AUTHOR/EXEC: tty1 (2157384509) user='1geob301'

01:40:39: tty1 AAA/AUTHOR/EXEC (2157384509): send AV service=shell

01:40:39: tty1 AAA/AUTHOR/EXEC (2157384509): send AV cmd*

01:40:39: tty1 AAA/AUTHOR/EXEC (2157384509): found list "test-list"

01:40:39: tty1 AAA/AUTHOR/EXEC (2157384509): Method=radius (radius)

01:40:39: AAA/AUTHOR (2157384509): Post authorization status = FAIL

01:40:39: AAA/AUTHOR/EXEC: Authorization FAILED



Could you help me please ?

Thanks


Bruno

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
michael.leblanc Mon, 07/21/2008 - 16:55
User Badges:
  • Silver, 250 points or more

Are you deliberately choosing not to do enable authentication via the RADIUS server?


I think your issue may have to do with the way you have configured the user profile on the RADIUS server.


With our configuration we do not see cisco-avpair = "shell:priv-lvl=15" being passed to the AAA client.


We see the IETF RADIUS Attribute 006 Service-Type being passed to the AAA client, with a value of "login-User" or "Administrative-User" depending on how we choose to configure the user profile.


If the user profile is set to "Login-User", the user will be prompted for the enable password after successfully providing the user password. An additional user profile will be required for user "$enab15$". The "$enab15$" user profile would not be configured to pass IETF RADIUS Attribute 006 Service-Type to the AAA client.


If the user profile is set to "Administrative-User", the user will proceed to enable mode after having provided the user password, without being prompted for the enable password.


bruno.geoffron Mon, 08/11/2008 - 01:12
User Badges:

Hello,


Thanks for your answer.


I found the solution, it was simply a mistake in my radius configuration.


Here the attribute i send after authentication:

Service-Type = NAS-Prompt-User

cisco-avpair = "shell:priv-lvl=15"


Here my cisco configuration:



radius-server host 172.15.2.21 auth-port 1812 acct-port 1813 key Secret

radius-server source-ports 1645-1646

radius-server vsa send authentication


aaa new-model

aaa authentication login test-list group radius

aaa authorization exec test-list group radius


line vty 0

authorization exec test-list

login authentication test-list



And it's working fine.


Regards,



Actions

This Discussion