Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Steel Belted Radius and Catalyst Switches

I have an older SBR appliance w/ version 5.43 and some Cisco Catalyst switches w/ 12.2.25 to 53 .  Trying to get authorization to work via Radius.  Basic config is:

aaa new-model

aaa group server radius RADIUS

server <ip> auth-port 1645 acct-port 1646

server <ip> auth-port 1645 acct-port 1646

!

aaa authentication login default group RADIUS local

aaa authentication login loginauth local

aaa authorization exec default group RADIUS if-authenticated

!

radius-server host <ip> auth-port 1645 acct-port 1646

radius-server host <ip> auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server timeout 2

radius-server key <snip>

Steel Belted is setup with a group that has:

cisco-AVPAIR shell:priv-lvl=15

cisco-AVPAIR Service-Type=login

When I try to login I get:

Username: kenny.sallee

Password:

% Authorization failed.

debug:

000860: 49w2d: tty2 AAA/AUTHOR/EXEC (3084441039): Port='tty2' list='' service=EXEC

000861: 49w2d: AAA/AUTHOR/EXEC: tty2 (3084441039) user='kenny.sallee'

000862: 49w2d: tty2 AAA/AUTHOR/EXEC (3084441039): send AV service=shell

000863: 49w2d: tty2 AAA/AUTHOR/EXEC (3084441039): send AV cmd*

000864: 49w2d: tty2 AAA/AUTHOR/EXEC (3084441039): found list "default"

000865: 49w2d: tty2 AAA/AUTHOR/EXEC (3084441039): Method=RADIUS (radius)

000866: 49w2d: AAA/AUTHOR (3084441039): Post authorization status = FAIL

000867: 49w2d: AAA/AUTHOR/EXEC: Authorization FAILED

LmUt-c3560-Tower-RM(config)#

000868: 49w2d: AAA/MEMORY: free_user (0x27000E8) user='kenny.sallee' ruser='NULL' port='tty2' rem_addr='1.2.250.219' authen_type=ASCII service=LOGIN priv=1

What I expect to happen is user gets authenticated at priviledge level 15 (and when I get this working - going to define priviledge level 1 users).  This works for some devices - but not others (seems to be older versions of code where it does not work)..

If I change this

aaa authorization exec default group RADIUS if-authenticated

to

aaa authorization exec default if-authenticated

I can at least get authorized via SSH/Telnet - however, all logins are w/ privi level 1 (vs 15 coming from the radius server)

Any pointers?

1 REPLY
Cisco Employee

Steel Belted Radius and Catalyst Switches

On the steel Belted radius server, what have you selected under model/make?

Also, please replace the Service-Type=login with Service-Type=Administrative on the radius server.

Run the following debugs and test the authentication again:

debug radius

debug aaa authen

debug aaa authorization

Let me know how it goes.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
321
Views
0
Helpful
1
Replies
CreatePlease login to create content