08-28-2003 07:48 AM - edited 03-10-2019 07:27 AM
Hello...
I'm trying to configure IAS Radius server to login users into a CISCO 3640 router. The idea is that different users login with different privileges... Some users with privilege 15. I've been checking the logs of the IAS server and it's working and authenticating users fine...
The aaa-related commands from the running-config of the router are shown below:
!
aaa new-model
aaa authentication login default group radius local
aaa authentication login if_needed local
aaa authorization exec default group radius if-authenticated
!
username admin privilege 15 password 0 xxxxxxxxx
!
(commands not shown)
!
radius-server host 10.1.2.47 auth-port 1645 acct-port 1646 radius-server retransmit 3 radius-server key 7 xxxxxxx
radius-server vsa send accounting
!
(commands not shown)
!
line con 0
privilege level 15
password 0 xxxxxxxxx
logging synchronous
login authentication if_needed
(I have a 15-level backdoor via console just in case)
!
!
!
When I remove the "aaa authorization exec" command users are authenticated and logged in the router with level-1 privileges. When I leave this command with the "shell:priv-lvl=15" attribute in the IAS server the authorization fails. The debug info is shown below:
*Mar 1 02:36:18: tty130 AAA/AUTHOR/EXEC (3895993257): Port='tty130' list='' service=EXEC
*Mar 1 02:36:18: AAA/AUTHOR/EXEC: tty130 (3895993257) user='albertoff'
*Mar 1 02:36:18: tty130 AAA/AUTHOR/EXEC (3895993257): send AV service=shell
*Mar 1 02:36:18: tty130 AAA/AUTHOR/EXEC (3895993257): send AV cmd*
*Mar 1 02:36:18: tty130 AAA/AUTHOR/EXEC (3895993257): found list "default"
*Mar 1 02:36:18: tty130 AAA/AUTHOR/EXEC (3895993257): Method=radius (radius)
*Mar 1 02:36:18: RADIUS: cisco AVPair "shell:priv-lvl=15"
*Mar 1 02:36:18: RADIUS: Unknown service-type in shell-author: type=4
*Mar 1 02:36:18: RADIUS: no appropriate authorization type for user.
*Mar 1 02:36:18: AAA/AUTHOR (3895993257): Post authorization status = FAIL
*Mar 1 02:36:18: AAA/AUTHOR/EXEC: Authorization FAILED
What do the "Unknown service-type in shell-author: type=4" and "no appropriate authorization type for user" stand for anyway?...
I don't know what's going on and my little experience with radius isn't helping either...
Any help would be more than welcome, thanks, af.
08-28-2003 07:37 PM
Service-Type (Radius attribute number 6) should be set to Login (value 1) for exec sessions, so set this in the user profile also and you should be right.
09-01-2003 03:54 AM
Thanks gfullage for your answer...
I've already tried the Service-Type=Login attribute but it doesn't work either. Here's the debug for the authorization part:
*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): Port='tty130' list='' seC
*Mar 5 18:20:22: AAA/AUTHOR/EXEC: tty130 (3542376879) user='albertoff'
*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): send AV service=shell
*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): send AV cmd*
*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): found list "default"
*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): Method=radius (radius)
*Mar 5 18:20:22: RADIUS: Unknown service-type in shell-author: type=4
*Mar 5 18:20:22: RADIUS: cisco AVPair "shell:priv-lvl=15"
*Mar 5 18:20:22: RADIUS: no appropriate authorization type for user.
*Mar 5 18:20:22: AAA/AUTHOR (3542376879): Post authorization status = FAIL
*Mar 5 18:20:22: AAA/AUTHOR/EXEC: Authorization FAILED
The only difference I see from this to what I post on the first message is that the "Unknown service-type in shell-author" message appears before the "cisco AVPair "shell:priv-lvl=15"" message.
Now, when I try to login to the router it gives me an "Authorization Failed" message at the login prompt. I can only logon to it via console.
Thanks again for any suggestions, regards, af.
09-01-2003 03:13 PM
This debug output:
*Mar 5 18:20:22: RADIUS: Unknown service-type in shell-author: type=4
seems to indicate that Service-Type is set to 4, not 1 (Login). Can you cut/paste the user attributes you have in the IAS server so I can have a look at them.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: