Authorization problem - Privilege level

pjhenriqs · ‎07-31-2007

Hi,

Again I'm having some problems with AAA authorization to assign the correct privilege level to the users on my RADIUS server (FreeRadius).

I am currently updating all routers to do this authorization and I'm having problems because one of them has version 12.0(30)S2, which does not use the same commands.

This is the AAA configuration that I have working on the other routers:

aaa new-model

aaa group server radius RADIUSSERVERS

aaa authentication login AAA group RADIUSSERVERS local enable none

aaa authentication login CONSOLE local

aaa authentication ppp default group radius local

aaa authorization exec AAA group RADIUSSERVERS local none

aaa authorization network default group radius local

aaa authorization network AAA group RADIUSSERVERS local none

aaa accounting exec AAA start-stop group RADIUSSERVERS

aaa accounting network default start-stop group radius

aaa accounting network AAA start-stop group RADIUSSERVERS

aaa session-id common

...

line vty 0 4

session-timeout 5000

access-class 99 in

exec-timeout 5000 0

password 7 x

authorization exec AAA

login authentication AAA

transport input telnet

line vty 5 15

session-timeout 5000

access-class 99 in

exec-timeout 5000 0

password 7 x

authorization exec AAA

login authentication AAA

transport input telnet

This is the one that does not work (version IOS 12.0(30)S2):

aaa new-model

aaa authentication fail-message ^C

aaa authentication password-prompt Passcode:

aaa authentication username-prompt UserID:

aaa authentication login AAA radius local enable none

aaa authentication login CONSOLE local

aaa authorization exec AAA radius local none

aaa authorization network default radius local

aaa authorization network AAA radius local none

...

radius-server host x.x.x.x auth-port 8812 acct-port 8813

radius-server retransmit 2

radius-server key 7 X

...

line vty 0 4

session-timeout 5

access-class 99 in

exec-timeout 5 0

password 7 x

authorization exec AAA

login authentication AAA

line vty 5 15

session-timeout 5

access-class 99 in

exec-timeout 5 0

password 7 x

authorization exec AAA

login authentication AAA

The radius server is configured to be the same, although I use the group command with the new version and "radius-server" with the older version.

Can anyone tell me what I'm doing wrong?

Thank you,

Paulo

mbroberson1 · ‎07-31-2007

Have you thought about setting up and using an ACS server? You can then use the command authorization set and use this either per user or group. It is a much more granular control of commands allowed and much easier to implement...of course then there is the cost of an ACS server.

Just another possibilty.

pjhenriqs · ‎07-31-2007

I would prefer to work with ACS yes, but unfortunately I don't decide that in my company.

Also, I think the RADIUS server i'm using is not the problem since I have routers with IOS version 12.4(6) which are working fine with the config I showed.

Regards,

Paulo

rochopra · ‎07-31-2007

Do you get any hits on radius server?

try enabling following debugs :

debug aaa authentication

debug aaa authorization

debug radius

This is give more detail on whats happening.

~Rohit

pjhenriqs · ‎07-31-2007

Thanks. Looking at the debugs solved the problem.

I was so convinced that I had set the right privilege level on the server that I didn't even check it. It worked on the other routers because their commands were set to lower privilege levels.

That was the problem.

Thanks for everything and sorry for bugging you with such a simple problem.