08-30-2010 04:31 AM - edited 03-10-2019 05:22 PM
I'm using RADIUS for the AAA process.
When I was running IOS 12.2 on routers everything was fine, but after upgrading to IOS Version 12.4(12) users gets always priv-lvl 15 regardless
what I set in RADIUS profile for the user.
I don't understand why router is processing CISCO-AV pair priv-lvl=y two times. And, why in the newest version the CISCO-AV pair priv-lvl=(value defined in RADIUS) came first?
IOS 12.2
Aug 19 15:09:17.926: AAA/AUTHOR/EXEC(0000059A): processing AV priv-lvl=15
Aug 19 15:09:17.926: AAA/AUTHOR/EXEC(0000059A): processing AV priv-lvl=1
Aug 19 15:09:17.926: AAA/AUTHOR/EXEC(0000059A): Authorization successful
IOS 12.4(12)
Aug 19 15:09:17.926: AAA/AUTHOR/EXEC(0000059A): processing AV priv-lvl=1
Aug 19 15:09:17.926: AAA/AUTHOR/EXEC(0000059A): processing AV priv-lvl=15
Aug 19 15:09:17.926: AAA/AUTHOR/EXEC(0000059A): processing AV service-type=6
Aug 19 15:09:17.926: AAA/AUTHOR/EXEC(0000059A): Authorization successful
Thanks,
VA
Solved! Go to Solution.
08-30-2010 10:16 AM
Looks like the service-type="adminsitrative" is what triggers the privilege level escalation.
08-30-2010 08:47 AM
Can you capture the RADIUS traffic between the switch and the RADIUS server to see what the RADIUS server is sending back?
08-30-2010 10:11 AM
debugging:
- radius
- aaa authentication
- aaa authorization
Aug 30 17:03:54.986: AAA/BIND(000005CE): Bind i/f
Aug 30 17:03:54.986: AAA/AUTHEN/LOGIN (000005CE): Pick method list 'default'
Aug 30 17:03:54.986: RADIUS/ENCODE(000005CE): ask "Username: "
Aug 30 17:03:54.986: RADIUS/ENCODE(000005CE): send packet; GET_USER
Aug 30 17:03:57.838: RADIUS/ENCODE(000005CE): ask "Password: "
Aug 30 17:03:57.842: RADIUS/ENCODE(000005CE): send packet; GET_PASSWORD
Aug 30 17:04:01.635: RADIUS/ENCODE(000005CE):Orig. component type = EXEC
Aug 30 17:04:01.635: RADIUS: AAA Unsupported Attr: interface [157] 6
Aug 30 17:04:01.635: RADIUS: 74 74 79 34 [tty4]
Aug 30 17:04:01.635: RADIUS/ENCODE(000005CE): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Aug 30 17:04:01.635: RADIUS(000005CE): Config NAS IP: xxx.xxx.xxx.xxx
Aug 30 17:04:01.635: RADIUS/ENCODE(000005CE): acct_session_id: 1486
Aug 30 17:04:01.635: RADIUS(000005CE): sending
Aug 30 17:04:01.635: RADIUS(000005CE): Send Access-Request to xxx.xxx.xxx.xxx:1812 id 1645/241, len 87
Aug 30 17:04:01.635: RADIUS: authenticator E7 CE FD C8 3D 37 01 CC - 2E A4 D5 BD 8E 27 F4 43
Aug 30 17:04:01.635: RADIUS: User-Name [1] 8 "test"
Aug 30 17:04:01.635: RADIUS: User-Password [2] 18 *
Aug 30 17:04:01.635: RADIUS: NAS-Port [5] 6 451
Aug 30 17:04:01.635: RADIUS: NAS-Port-Id [87] 8 "tty451"
Aug 30 17:04:01.635: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Aug 30 17:04:01.635: RADIUS: Calling-Station-Id [31] 15 "xxx.xxx.xxx.xxx"
Aug 30 17:04:01.635: RADIUS: NAS-IP-Address [4] 6 xxx.xxx.xxx.xxx
Aug 30 17:04:01.647: RADIUS: Received from id 1645/241 xxx.xxx.xxx.xxx:1812, Access-Accept, len 50
Aug 30 17:04:01.647: RADIUS: authenticator B1 55 52 0D EB 66 01 C2 - 98 E0 7E 17 93 36 0D D2
Aug 30 17:04:01.647: RADIUS: Service-Type [6] 6 Administrative [6]
Aug 30 17:04:01.647: RADIUS: Vendor, Cisco [26] 24
Aug 30 17:04:01.647: RADIUS: Cisco AVpair [1] 18 "shell:priv-lvl=1"
Aug 30 17:04:01.647: RADIUS(000005CE): Received from id 1645/241
Aug 30 17:04:01.647: AAA/AUTHOR/EXEC(000005CE): processing AV priv-lvl=1
Aug 30 17:04:01.647: AAA/AUTHOR/EXEC(000005CE): processing AV priv-lvl=15
Aug 30 17:04:01.647: AAA/AUTHOR/EXEC(000005CE): processing AV service-type=6
Aug 30 17:04:01.647: AAA/AUTHOR/EXEC(000005CE): Authorization successful
Aug 30 17:04:01.647: RADIUS/ENCODE(000005CE):Orig. component type = EXEC
Aug 30 17:04:01.647: RADIUS(000005CE): Config NAS IP: xxx.xxx.xxx.xxx
Aug 30 17:04:01.647: RADIUS(000005CE): sending
Aug 30 17:04:01.647: RADIUS(000005CE): Send Accounting-Request to xxx.xxx.xxx.xxx:1813 id 1646/180, len 103
Aug 30 17:04:01.647: RADIUS: authenticator 68 53 1A 44 F0 5E 12 A5 - 99 6F 21 64 F3 F5 50 31
Aug 30 17:04:01.647: RADIUS: Acct-Session-Id [44] 10 "000005CE"
Aug 30 17:04:01.647: RADIUS: User-Name [1] 8 "test"
Aug 30 17:04:01.647: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
Aug 30 17:04:01.647: RADIUS: Acct-Status-Type [40] 6 Start [1]
Aug 30 17:04:01.647: RADIUS: NAS-Port [5] 6 451
Aug 30 17:04:01.647: RADIUS: NAS-Port-Id [87] 8 "tty451"
Aug 30 17:04:01.647: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Aug 30 17:04:01.647: RADIUS: Calling-Station-Id [31] 15 "xxx.xxx.xxx.xxx"
Aug 30 17:04:01.647: RADIUS: Service-Type [6] 6 NAS Prompt [7]
Aug 30 17:04:01.647: RADIUS: NAS-IP-Address [4] 6 xxx.xxx.xxx.xxx
Aug 30 17:04:01.647: RADIUS: Acct-Delay-Time [41] 6 0
Aug 30 17:04:01.655: RADIUS: Received from id 1646/180 xxx.xxx.xxx.xxx:1813, Accounting-response, len 20
Aug 30 17:04:01.655: RADIUS: authenticator FE E4 75 AD 9E 1E 35 A9 - 1F 1D 5F B7 AD 4D AC EA
08-30-2010 10:16 AM
Looks like the service-type="adminsitrative" is what triggers the privilege level escalation.
08-31-2010 07:36 AM
In the RADIUS server i replace "Service-Type = Shell-User" to "Service-Type = Login" and the problem was fixed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide