Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 3750 & Radius Authorization

Hello,

I have some difficulties to implement AAA.

I'm trying to configure our cisco in a way to authenticate and authorize users, using our Radius server.

After authentication, this server should send an attribute to define the user privilege.

Here what I did:

<

username 1geob301

radius-server host 172.15.2.21 auth-port 1812 acct-port 1813 key Secret

radius-server source-ports 1645-1646

radius-server vsa send authentication

aaa new-model

aaa authentication login test-list group radius

aaa authorization exec test-list group radius

>

On the radius server, once the user is authenticated, the server send the attribute cisco-avpair = "shell:priv-lvl=15"

The authentication works. But I'm failing to configure correctly the authorization.

Here the debug trace:

01:40:38: AAA: parse name=tty1 idb type=-1 tty=-1

01:40:38: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0

01:40:38: AAA/MEMORY: create_user (0x3B91F78) user='NULL' ruser='NULL' ds0=0 port='tty1' rem_addr='172.16.30.68' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

01:40:38: AAA/AUTHEN/START (3767632247): port='tty1' list='test-list' action=LOGIN service=LOGIN

01:40:38: AAA/AUTHEN/START (3767632247): found list test-list

01:40:38: AAA/AUTHEN/START (3767632247): Method=radius (radius)

01:40:38: AAA/AUTHEN (3767632247): status = GETPASS

01:40:38: AAA/AUTHEN/CONT (3767632247): continue_login (user='1geob301')

01:40:38: AAA/AUTHEN (3767632247): status = GETPASS

01:40:38: AAA/AUTHEN (3767632247): Method=radius (radius)

01:40:39: AAA/AUTHEN (3767632247): status = PASS

01:40:39: tty1 AAA/AUTHOR/EXEC (2157384509): Port='tty1' list='test-list' service=EXEC

01:40:39: AAA/AUTHOR/EXEC: tty1 (2157384509) user='1geob301'

01:40:39: tty1 AAA/AUTHOR/EXEC (2157384509): send AV service=shell

01:40:39: tty1 AAA/AUTHOR/EXEC (2157384509): send AV cmd*

01:40:39: tty1 AAA/AUTHOR/EXEC (2157384509): found list "test-list"

01:40:39: tty1 AAA/AUTHOR/EXEC (2157384509): Method=radius (radius)

01:40:39: AAA/AUTHOR (2157384509): Post authorization status = FAIL

01:40:39: AAA/AUTHOR/EXEC: Authorization FAILED

Could you help me please ?

Thanks

Bruno

2 REPLIES

Re: Cisco 3750 & Radius Authorization

Are you deliberately choosing not to do enable authentication via the RADIUS server?

I think your issue may have to do with the way you have configured the user profile on the RADIUS server.

With our configuration we do not see cisco-avpair = "shell:priv-lvl=15" being passed to the AAA client.

We see the IETF RADIUS Attribute 006 Service-Type being passed to the AAA client, with a value of "login-User" or "Administrative-User" depending on how we choose to configure the user profile.

If the user profile is set to "Login-User", the user will be prompted for the enable password after successfully providing the user password. An additional user profile will be required for user "$enab15$". The "$enab15$" user profile would not be configured to pass IETF RADIUS Attribute 006 Service-Type to the AAA client.

If the user profile is set to "Administrative-User", the user will proceed to enable mode after having provided the user password, without being prompted for the enable password.

New Member

Re: Cisco 3750 & Radius Authorization

Hello,

Thanks for your answer.

I found the solution, it was simply a mistake in my radius configuration.

Here the attribute i send after authentication:

Service-Type = NAS-Prompt-User

cisco-avpair = "shell:priv-lvl=15"

Here my cisco configuration:

radius-server host 172.15.2.21 auth-port 1812 acct-port 1813 key Secret

radius-server source-ports 1645-1646

radius-server vsa send authentication

aaa new-model

aaa authentication login test-list group radius

aaa authorization exec test-list group radius

line vty 0

authorization exec test-list

login authentication test-list

And it's working fine.

Regards,

1028
Views
0
Helpful
2
Replies
CreatePlease to create content