Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

AAA with different level of privileges into a router (using Microsoft IAS)

Hello...

I'm trying to configure IAS Radius server to login users into a CISCO 3640 router. The idea is that different users login with different privileges... Some users with privilege 15. I've been checking the logs of the IAS server and it's working and authenticating users fine...

The aaa-related commands from the running-config of the router are shown below:

!

aaa new-model

aaa authentication login default group radius local

aaa authentication login if_needed local

aaa authorization exec default group radius if-authenticated

!

username admin privilege 15 password 0 xxxxxxxxx

!

(commands not shown)

!

radius-server host 10.1.2.47 auth-port 1645 acct-port 1646 radius-server retransmit 3 radius-server key 7 xxxxxxx

radius-server vsa send accounting

!

(commands not shown)

!

line con 0

privilege level 15

password 0 xxxxxxxxx

logging synchronous

login authentication if_needed

(I have a 15-level backdoor via console just in case)

!

!

!

When I remove the "aaa authorization exec" command users are authenticated and logged in the router with level-1 privileges. When I leave this command with the "shell:priv-lvl=15" attribute in the IAS server the authorization fails. The debug info is shown below:

*Mar 1 02:36:18: tty130 AAA/AUTHOR/EXEC (3895993257): Port='tty130' list='' service=EXEC

*Mar 1 02:36:18: AAA/AUTHOR/EXEC: tty130 (3895993257) user='albertoff'

*Mar 1 02:36:18: tty130 AAA/AUTHOR/EXEC (3895993257): send AV service=shell

*Mar 1 02:36:18: tty130 AAA/AUTHOR/EXEC (3895993257): send AV cmd*

*Mar 1 02:36:18: tty130 AAA/AUTHOR/EXEC (3895993257): found list "default"

*Mar 1 02:36:18: tty130 AAA/AUTHOR/EXEC (3895993257): Method=radius (radius)

*Mar 1 02:36:18: RADIUS: cisco AVPair "shell:priv-lvl=15"

*Mar 1 02:36:18: RADIUS: Unknown service-type in shell-author: type=4

*Mar 1 02:36:18: RADIUS: no appropriate authorization type for user.

*Mar 1 02:36:18: AAA/AUTHOR (3895993257): Post authorization status = FAIL

*Mar 1 02:36:18: AAA/AUTHOR/EXEC: Authorization FAILED

What do the "Unknown service-type in shell-author: type=4" and "no appropriate authorization type for user" stand for anyway?...

I don't know what's going on and my little experience with radius isn't helping either...

Any help would be more than welcome, thanks, af.

3 REPLIES
Cisco Employee

Re: AAA with different level of privileges into a router (using

Service-Type (Radius attribute number 6) should be set to Login (value 1) for exec sessions, so set this in the user profile also and you should be right.

New Member

Re: AAA with different level of privileges into a router (using

Thanks gfullage for your answer...

I've already tried the Service-Type=Login attribute but it doesn't work either. Here's the debug for the authorization part:

*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): Port='tty130' list='' seC

*Mar 5 18:20:22: AAA/AUTHOR/EXEC: tty130 (3542376879) user='albertoff'

*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): send AV service=shell

*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): send AV cmd*

*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): found list "default"

*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): Method=radius (radius)

*Mar 5 18:20:22: RADIUS: Unknown service-type in shell-author: type=4

*Mar 5 18:20:22: RADIUS: cisco AVPair "shell:priv-lvl=15"

*Mar 5 18:20:22: RADIUS: no appropriate authorization type for user.

*Mar 5 18:20:22: AAA/AUTHOR (3542376879): Post authorization status = FAIL

*Mar 5 18:20:22: AAA/AUTHOR/EXEC: Authorization FAILED

The only difference I see from this to what I post on the first message is that the "Unknown service-type in shell-author" message appears before the "cisco AVPair "shell:priv-lvl=15"" message.

Now, when I try to login to the router it gives me an "Authorization Failed" message at the login prompt. I can only logon to it via console.

Thanks again for any suggestions, regards, af.

Cisco Employee

Re: AAA with different level of privileges into a router (using

This debug output:

*Mar 5 18:20:22: RADIUS: Unknown service-type in shell-author: type=4

seems to indicate that Service-Type is set to 4, not 1 (Login). Can you cut/paste the user attributes you have in the IAS server so I can have a look at them.

511
Views
0
Helpful
3
Replies
CreatePlease to create content