08-30-2010 04:31 AM - edited 03-10-2019 05:22 PM
I'm using RADIUS for the AAA process.
When I was running IOS 12.2 on routers everything was fine, but after upgrading to IOS Version 12.4(12) users gets always priv-lvl 15 regardless
what I set in RADIUS profile for the user.
I don't understand why router is processing CISCO-AV pair priv-lvl=y two times. And, why in the newest version the CISCO-AV pair priv-lvl=(value defined in RADIUS) came first?
IOS 12.2
Aug 19 15:09:17.926: AAA/AUTHOR/EXEC(0000059A): processing AV priv-lvl=15
Aug 19 15:09:17.926: AAA/AUTHOR/EXEC(0000059A): processing AV priv-lvl=1
Aug 19 15:09:17.926: AAA/AUTHOR/EXEC(0000059A): Authorization successful
IOS 12.4(12)
Aug 19 15:09:17.926: AAA/AUTHOR/EXEC(0000059A): processing AV priv-lvl=1
Aug 19 15:09:17.926: AAA/AUTHOR/EXEC(0000059A): processing AV priv-lvl=15
Aug 19 15:09:17.926: AAA/AUTHOR/EXEC(0000059A): processing AV service-type=6
Aug 19 15:09:17.926: AAA/AUTHOR/EXEC(0000059A): Authorization successful
Thanks,
VA
Solved! Go to Solution.
08-30-2010 10:16 AM
Looks like the service-type="adminsitrative" is what triggers the privilege level escalation.
08-30-2010 08:47 AM
Can you capture the RADIUS traffic between the switch and the RADIUS server to see what the RADIUS server is sending back?
08-30-2010 10:11 AM
debugging:
- radius
- aaa authentication
- aaa authorization
Aug 30 17:03:54.986: AAA/BIND(000005CE): Bind i/f
Aug 30 17:03:54.986: AAA/AUTHEN/LOGIN (000005CE): Pick method list 'default'
Aug 30 17:03:54.986: RADIUS/ENCODE(000005CE): ask "Username: "
Aug 30 17:03:54.986: RADIUS/ENCODE(000005CE): send packet; GET_USER
Aug 30 17:03:57.838: RADIUS/ENCODE(000005CE): ask "Password: "
Aug 30 17:03:57.842: RADIUS/ENCODE(000005CE): send packet; GET_PASSWORD
Aug 30 17:04:01.635: RADIUS/ENCODE(000005CE):Orig. component type = EXEC
Aug 30 17:04:01.635: RADIUS: AAA Unsupported Attr: interface [157] 6
Aug 30 17:04:01.635: RADIUS: 74 74 79 34 [tty4]
Aug 30 17:04:01.635: RADIUS/ENCODE(000005CE): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Aug 30 17:04:01.635: RADIUS(000005CE): Config NAS IP: xxx.xxx.xxx.xxx
Aug 30 17:04:01.635: RADIUS/ENCODE(000005CE): acct_session_id: 1486
Aug 30 17:04:01.635: RADIUS(000005CE): sending
Aug 30 17:04:01.635: RADIUS(000005CE): Send Access-Request to xxx.xxx.xxx.xxx:1812 id 1645/241, len 87
Aug 30 17:04:01.635: RADIUS: authenticator E7 CE FD C8 3D 37 01 CC - 2E A4 D5 BD 8E 27 F4 43
Aug 30 17:04:01.635: RADIUS: User-Name [1] 8 "test"
Aug 30 17:04:01.635: RADIUS: User-Password [2] 18 *
Aug 30 17:04:01.635: RADIUS: NAS-Port [5] 6 451
Aug 30 17:04:01.635: RADIUS: NAS-Port-Id [87] 8 "tty451"
Aug 30 17:04:01.635: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Aug 30 17:04:01.635: RADIUS: Calling-Station-Id [31] 15 "xxx.xxx.xxx.xxx"
Aug 30 17:04:01.635: RADIUS: NAS-IP-Address [4] 6 xxx.xxx.xxx.xxx
Aug 30 17:04:01.647: RADIUS: Received from id 1645/241 xxx.xxx.xxx.xxx:1812, Access-Accept, len 50
Aug 30 17:04:01.647: RADIUS: authenticator B1 55 52 0D EB 66 01 C2 - 98 E0 7E 17 93 36 0D D2
Aug 30 17:04:01.647: RADIUS: Service-Type [6] 6 Administrative [6]
Aug 30 17:04:01.647: RADIUS: Vendor, Cisco [26] 24
Aug 30 17:04:01.647: RADIUS: Cisco AVpair [1] 18 "shell:priv-lvl=1"
Aug 30 17:04:01.647: RADIUS(000005CE): Received from id 1645/241
Aug 30 17:04:01.647: AAA/AUTHOR/EXEC(000005CE): processing AV priv-lvl=1
Aug 30 17:04:01.647: AAA/AUTHOR/EXEC(000005CE): processing AV priv-lvl=15
Aug 30 17:04:01.647: AAA/AUTHOR/EXEC(000005CE): processing AV service-type=6
Aug 30 17:04:01.647: AAA/AUTHOR/EXEC(000005CE): Authorization successful
Aug 30 17:04:01.647: RADIUS/ENCODE(000005CE):Orig. component type = EXEC
Aug 30 17:04:01.647: RADIUS(000005CE): Config NAS IP: xxx.xxx.xxx.xxx
Aug 30 17:04:01.647: RADIUS(000005CE): sending
Aug 30 17:04:01.647: RADIUS(000005CE): Send Accounting-Request to xxx.xxx.xxx.xxx:1813 id 1646/180, len 103
Aug 30 17:04:01.647: RADIUS: authenticator 68 53 1A 44 F0 5E 12 A5 - 99 6F 21 64 F3 F5 50 31
Aug 30 17:04:01.647: RADIUS: Acct-Session-Id [44] 10 "000005CE"
Aug 30 17:04:01.647: RADIUS: User-Name [1] 8 "test"
Aug 30 17:04:01.647: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
Aug 30 17:04:01.647: RADIUS: Acct-Status-Type [40] 6 Start [1]
Aug 30 17:04:01.647: RADIUS: NAS-Port [5] 6 451
Aug 30 17:04:01.647: RADIUS: NAS-Port-Id [87] 8 "tty451"
Aug 30 17:04:01.647: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Aug 30 17:04:01.647: RADIUS: Calling-Station-Id [31] 15 "xxx.xxx.xxx.xxx"
Aug 30 17:04:01.647: RADIUS: Service-Type [6] 6 NAS Prompt [7]
Aug 30 17:04:01.647: RADIUS: NAS-IP-Address [4] 6 xxx.xxx.xxx.xxx
Aug 30 17:04:01.647: RADIUS: Acct-Delay-Time [41] 6 0
Aug 30 17:04:01.655: RADIUS: Received from id 1646/180 xxx.xxx.xxx.xxx:1813, Accounting-response, len 20
Aug 30 17:04:01.655: RADIUS: authenticator FE E4 75 AD 9E 1E 35 A9 - 1F 1D 5F B7 AD 4D AC EA
08-30-2010 10:16 AM
Looks like the service-type="adminsitrative" is what triggers the privilege level escalation.
08-31-2010 07:36 AM
In the RADIUS server i replace "Service-Type = Shell-User" to "Service-Type = Login" and the problem was fixed.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: