Looks like you're trying to bring over a users file from a different
radius server. Here's what a working entry looks like:
"someuser" Auth-Type := Local, Password == "userpassword",
NAS-IP-Address==127.0.0.3
Reply-Message = "[myserver] Howdy!",
cisco-avpair = "shell:priv-lvl=1"
Obviously, that example also is good for ONLY nas 127.0.0.3, but it should
give you a running start.
(You should leave that cisco-avpair in there; if you don't have it, you
can crash Catalyst 5000 series switches running radius on login.)
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
"So for the IT Manager Role, you want someone who's absolute crap, looks
reasonable on paper, and won't cause too much trouble. ... Well I don't
have any MCSEs on my books at the moment, but I could call around." --
Simon Travaglia
Thomas Linden <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
11/15/2002 05:47 AM
Please respond to freeradius-users
To: [EMAIL PROTECTED]
cc:
Subject: Telnet auth against Cisco Router
Hello folks,
I successfully installed the freeradius server (version 0.7.1).
I configured a cisco router for authenticating telnet access against
the radius server. So far, I've got them talking together, but
the radius rejects my auth request.
here is the entry of my users file:
DEFAULT Auth-Type := Local
Fall-Through = 1
scip
Auth-Type = Local,
User-Password = "sack",
Service-Type = Login-User,
Login-Service = Telnet
(that means, I don't want to use /etc/passwd or the like,
the password has to be in the users file).
Now if I telnet to the cisco, the radius server (started
with -X) states:
rad_recv: Access-Request packet from host 192.168.yyy.yyy:1645, id=39,
length=106
User-Name = "scip"
User-Password = "\313\336\337\231:\335$2\241_\242\252\326\333W"
NAS-Port = 3
Cisco-AVPair = "interface=tty3"
NAS-Port-Type = Virtual
Calling-Station-Id = "192.168.***.***"
Service-Type = Login-User
NAS-IP-Address = 192.168.yyy.yyy
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
rlm_realm: Looking up realm NULL for User-Name = "scip"
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 215
users: Matched scip at 218
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Local
auth: type Local
auth: No password configured for the user
Login incorrect (No password configured for the user): [scip/sack] (from
client routers port 3 cli 192.168.***.***)
auth: Failed to validate the user.
Login incorrect: [scip/sack] (from client routers port 3 cli
192.168.***.***)
Here is, what I see on the cisco side:
20:54:06: RADIUS/ENCODE(00000024): ask "Username: "
20:54:06: RADIUS/ENCODE(00000024): send packet; GET_USER
bb03#
20:54:08: RADIUS/ENCODE(00000024): ask "Password: "
20:54:08: RADIUS/ENCODE(00000024): send packet; GET_PASSWORD
20:54:09: RADIUS/ENCODE(00000024): acct_session_id: 36
20:54:09: RADIUS(00000024): sending
20:54:09: RADIUS: Send to unknown id 40 192.168.xxx.xxx:1812,
Access-Request, len 106
20:54:09: RADIUS: authenticator 68 7C D8 7B 7C AF 3B 96 - 39 73 88 10 E1
3A 5E 8D
20:54:09: RADIUS: User-Name [1] 6 "scip"
20:54:09: RADIUS: User-Password [2] 18 *
20:54:09: RADIUS: NAS-Port [5] 6 3
20:54:09: RADIUS: Vendor, Cisco [26] 22
20:54:09: RADIUS: Cisco AVpair [1] 16 "interface=tty3"
20:54:09: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
bb03#
20:54:09: RADIUS: Calling-Station-Id [31] 16 "192.168.***.***"
20:54:09: RADIUS: Service-Type [6] 6 Login [1]
20:54:09: RADIUS: NAS-IP-Address [4] 6 192.168.yyy.yyy
bb03#
20:54:11: RADIUS: Received from id 40 192.168.xxx.xxx:1812, Access-Reject,
len 20
20:54:11: RADIUS: authenticator 8B CF FB C9 C3 5D 00 B0 - DF BD 52 66 0A
08 C7 02
20:54:11: RADIUS: Received from id 24
20:54:11: RADIUS/DECODE: parse response short packet; IGNORE
my question: how can I get freeradius to let me telnet into the
cisco router? why does it claim that there is no password set,
although it's defined in the users file?
thanks in advance,
Tom
--
Thomas Linden <[EMAIL PROTECTED]>, I Z B Informatik-Zentrum
Muenchen-Frankfurt a.M. GmbH & Co.KG, Internet Service Providing
OE532 Tel:089/2171-27998, Fax:089/2171-27995, http://www.izb.de
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
