Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1870
Views
0
Helpful
3
Replies

AAA with different level of privileges into a router (using Microsoft IAS)

albertoff
Level 1
Level 1

‎08-28-2003 07:48 AM - edited ‎03-10-2019 07:27 AM

Hello...

I'm trying to configure IAS Radius server to login users into a CISCO 3640 router. The idea is that different users login with different privileges... Some users with privilege 15. I've been checking the logs of the IAS server and it's working and authenticating users fine...

The aaa-related commands from the running-config of the router are shown below:

!

aaa new-model

aaa authentication login default group radius local

aaa authentication login if_needed local

aaa authorization exec default group radius if-authenticated

!

username admin privilege 15 password 0 xxxxxxxxx

!

(commands not shown)

!

radius-server host 10.1.2.47 auth-port 1645 acct-port 1646 radius-server retransmit 3 radius-server key 7 xxxxxxx

radius-server vsa send accounting

!

(commands not shown)

!

line con 0

privilege level 15

password 0 xxxxxxxxx

logging synchronous

login authentication if_needed

(I have a 15-level backdoor via console just in case)

!

!

!

When I remove the "aaa authorization exec" command users are authenticated and logged in the router with level-1 privileges. When I leave this command with the "shell:priv-lvl=15" attribute in the IAS server the authorization fails. The debug info is shown below:

*Mar 1 02:36:18: tty130 AAA/AUTHOR/EXEC (3895993257): Port='tty130' list='' service=EXEC

*Mar 1 02:36:18: AAA/AUTHOR/EXEC: tty130 (3895993257) user='albertoff'

*Mar 1 02:36:18: tty130 AAA/AUTHOR/EXEC (3895993257): send AV service=shell

*Mar 1 02:36:18: tty130 AAA/AUTHOR/EXEC (3895993257): send AV cmd*

*Mar 1 02:36:18: tty130 AAA/AUTHOR/EXEC (3895993257): found list "default"

*Mar 1 02:36:18: tty130 AAA/AUTHOR/EXEC (3895993257): Method=radius (radius)

*Mar 1 02:36:18: RADIUS: cisco AVPair "shell:priv-lvl=15"

*Mar 1 02:36:18: RADIUS: Unknown service-type in shell-author: type=4

*Mar 1 02:36:18: RADIUS: no appropriate authorization type for user.

*Mar 1 02:36:18: AAA/AUTHOR (3895993257): Post authorization status = FAIL

*Mar 1 02:36:18: AAA/AUTHOR/EXEC: Authorization FAILED

What do the "Unknown service-type in shell-author: type=4" and "no appropriate authorization type for user" stand for anyway?...

I don't know what's going on and my little experience with radius isn't helping either...

Any help would be more than welcome, thanks, af.

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎08-28-2003 07:37 PM

Service-Type (Radius attribute number 6) should be set to Login (value 1) for exec sessions, so set this in the user profile also and you should be right.

0 Helpful

albertoff
Level 1
Level 1
In response to gfullage

‎09-01-2003 03:54 AM

Thanks gfullage for your answer...

I've already tried the Service-Type=Login attribute but it doesn't work either. Here's the debug for the authorization part:

*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): Port='tty130' list='' seC

*Mar 5 18:20:22: AAA/AUTHOR/EXEC: tty130 (3542376879) user='albertoff'

*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): send AV service=shell

*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): send AV cmd*

*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): found list "default"

*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): Method=radius (radius)

*Mar 5 18:20:22: RADIUS: Unknown service-type in shell-author: type=4

*Mar 5 18:20:22: RADIUS: cisco AVPair "shell:priv-lvl=15"

*Mar 5 18:20:22: RADIUS: no appropriate authorization type for user.

*Mar 5 18:20:22: AAA/AUTHOR (3542376879): Post authorization status = FAIL

*Mar 5 18:20:22: AAA/AUTHOR/EXEC: Authorization FAILED

The only difference I see from this to what I post on the first message is that the "Unknown service-type in shell-author" message appears before the "cisco AVPair "shell:priv-lvl=15"" message.

Now, when I try to login to the router it gives me an "Authorization Failed" message at the login prompt. I can only logon to it via console.

Thanks again for any suggestions, regards, af.

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to albertoff

‎09-01-2003 03:13 PM

This debug output:

*Mar 5 18:20:22: RADIUS: Unknown service-type in shell-author: type=4

seems to indicate that Service-Type is set to 4, not 1 (Login). Can you cut/paste the user attributes you have in the IAS server so I can have a look at them.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents