You seem to be confusing authorization with authentication. What you're trying
to do is control when people can telnet to your NAS; that's authentication.
You want something that looks (something) like this... (written on IOS 12,
YMMV....)
aaa new-model
aaa authentication login default line <-- that way, any authentication method
that you don't specify radius for uses its line password. You might want to
make the default local since you've defined a local account on the nas. as
written, it uses the line password.
aaa authentication login radius-logins group radius line <-- this way, if the
radius server FAILS, then it falls back to the line password. again, you'll
probably want to replace line with local for your config.
Then, go into config mode and get into the vty line. add the line
login authentication radius-logins
and then write config. DON'T add the line to con; that way if/when you blow the
config, you can still console into the router and get in. Or alternatively, you
can down the radius server and wait for the NAS to fall back to the line/local
password. :)
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
"Monday" is the term used to signify the eighth day of my work week.
|--------+----------------------->
| | Samuel |
| | Maftoul |
| | <maftoul@esrf|
| | .fr> |
| | |
| | 08/09/2001 |
| | 07:59 AM |
| | Please |
| | respond to |
| | freeradius-us|
| | ers |
| | |
|--------+----------------------->
>------------------------------------------------------------|
| |
| To: [EMAIL PROTECTED] |
| cc: (bcc: Vincent Giovannone/Rush/RSH) |
| Subject: reformulating my problem - Re: |
| authorization |
>------------------------------------------------------------|
In my last mail I should have not explain well my problem, because I splet some
things ....
So here goes my problem:
I have created 2 login for testing purpose:
1 - One on the Radius server is testing/radius
2 - One on the Nas: userrad/passrad, enable pass is passrad2
With :
-----------
aaa new-model
aaa accounting exec wait-start radius
aaa accounting network wait-start radius
-----------
on telnet my-nas the "userrad" login works, but the "testing" one doesn't with
error message: "Access denied"(This is normal).
Then I add my lines aaa lines:
telnet my-nas , get logged , get ena , conf t :
#aaa authorization exec radius
#aaa authorization network radius
CTRL-Z.
So my aaa is now:
---------------
aaa new-model
aaa accounting exec wait-start radius
aaa accounting network wait-start radius
aaa authorization exec radius
aaa authorization network radius
---------------
Now, on telnet, neither the "testing" login, nor the "userrad" get logged on my
nas:
"userrad" says : "Authorization Failed"
"testing" says : "Acces denied"
random login says : "Access denied"
why my logins comming from the users file are ignored (same reply as random
inexistant login) ?
why my local login cannot get authorized ? (I think because I should have said
:aaa authorization exec radius local , righ? )
(That is not the problem, I need to make the user database works from users file
wich seems to be totally ignored)
My users file contains this (just for the tests ):
testing Auth-Type := Local, Password == "radius"
Login-Service = Telnet,
Login-TCP-Port = 23
Thanks for help
Sam
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
