we have installed radius 0.9 on linux box and it works fine with
cisco AS5200 and AS5300.
WE tried to install a new AS5400 to work with radius but we have
problem with the authorize section.
The configuration in AS5400 is the following:
aaa authentication login default local group tacacs+ group radius
aaa authentication ppp default group radius
aaa authorization exec default local group tacacs+ group radius
aaa authorization network default group radius
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
with this config Async users can login with no problem but ISDN users
pass the authentication section but have no authorize.
When we change the authorization line for network with this
aaa authorization network default if-authenticated group radius
both ASYNC and ISDN users could login but some attributes not passed
(like radiusframedipaddres, radiusportlimit).
From the debuging we actually see that the radius works fine and send
Auth Ack and after that sends the attributes for the user but for some
reason the AS5400 can not accept those attributes and the PPP protocol
terminates.....
Here is the debug from radius:
rad_recv: Access-Request packet from host 147.52.3.14:1645, id=140, length=106
Framed-Protocol = PPP
User-Name = "xxxxxxx"
User-Password = "xxxxxx"
NAS-Port = 20000
NAS-Port-Type = ISDN
Called-Station-Id = "5603327"
Calling-Station-Id = "123456"
Service-Type = Framed-User
NAS-IP-Address = xxxx.xxxx.xxxx.xxxx
rad_lowerpair: User-Name now '[EMAIL PROTECTED]'
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
users: Matched DEFAULT at 19
users: Matched DEFAULT at 26
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns noop
modcall[authorize]: module "chap" returns noop
rlm_realm: Looking up realm "uoc.gr" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm "uoc.gr"
rlm_realm: Adding Stripped-User-Name = "kchristo"
rlm_realm: Proxying request from user kchristo to realm uoc.gr
rlm_realm: Adding Realm = "uoc.gr"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "uoc" returns noop
rlm_realm: Request already proxied. Ignoring.
modcall[authorize]: module "old" returns noop
radius_xlat: 'xxxxxxxx'
rlm_sql (sql): sql_set_user escaped user --> 'xxxxxxxxxx'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = 'xxxxxxxxx' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): User xxxxxxxxx not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = '[EMAIL PROTECTED]' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): User xxxxxxxxx not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns notfound
rlm_ldap: - authorize
rlm_ldap: performing user authorization for kchristo
radius_xlat: '(uid=kchristo)'
radius_xlat: 'ou=people,dc=uoc,dc=gr'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 147.52.80.1:389, authentication 0
rlm_ldap: bind as cn=Directory Manager/xxxxxxxxx to 147.52.80.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in ou=people,dc=uoc,dc=gr, with filter (uid=kchristo)
rlm_ldap: performing search in uid=default-dialup,ou=people,dc=uoc,dc=gr, with filter
(objectclass=radiusprofile)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: default_profile/user-profile search failed
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusCalledStationId as Called-Station-Id, value 12 & op=21
rlm_ldap: Adding radiusCalledStationId as Called-Station-Id, value 44 & op=21
rlm_ldap: Adding radiusCalledStationId as Called-Station-Id, value 39 & op=21
rlm_ldap: Adding radiusCalledStationId as Called-Station-Id, value 77 & op=21
rlm_ldap: Adding radiusCalledStationId as Called-Station-Id, value 5603327 & op=21
rlm_ldap: Adding npSessionsAllowed as Simultaneous-Use, value 3 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusPortLimit as Port-Limit, value 1 & op=11
rlm_ldap: Adding radiusFramedIPAddress as Framed-IP-Address, value 147.52.3.83 & op=11
rlm_ldap: user kchristo authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
rlm_checkval: Item Name: Called-Station-Id, Value: 5603327
rlm_checkval: Value Name: Called-Station-Id, Value: 12
rlm_checkval: Value Name: Called-Station-Id, Value: 44
rlm_checkval: Value Name: Called-Station-Id, Value: 39
rlm_checkval: Value Name: Called-Station-Id, Value: 77
rlm_checkval: Value Name: Called-Station-Id, Value: 5603327
modcall[authorize]: module "calledid-check" returns ok
rlm_checkval: Item Name: Calling-Station-Id, Value: 2831020899
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
modcall[authorize]: module "callerid-check" returns notfound
modcall: group authorize returns ok
rad_check_password: Found Auth-Type LDAP
auth: type "Ldap"
modcall: entering group authtype
rlm_ldap: - authenticate
rlm_ldap: login attempt by "xxxxxxx" with password "xxxxx"
rlm_ldap: user DN: uid=kchristo,ou=people, dc=uoc,dc=gr
rlm_ldap: (re)connect to 147.52.80.1:389, authentication 1
rlm_ldap: bind as uid=kchristo,ou=people, dc=uoc,dc=gr/7979 to 147.52.80.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: user kchristo authenticated succesfully
modcall[authenticate]: module "ldap" returns ok
modcall: group authtype returns ok
modcall: entering group session
radius_xlat: '/opt/radius/var/log/radius/radutmp'
radius_xlat: 'xxxxxxxxxxxxx'
modcall[session]: module "radutmp" returns ok
modcall: group session returns ok
Login OK: [xxxxxxxxxxx] (from client python2 port 20000 cli 123456)
Sending Access-Accept of id 140 to xxxx.xxxx.xxxx.xxxx:1645
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Framed-MTU = 1500
Login-IP-Host = 0.0.0.0
Port-Limit = 1
Framed-IP-Address = xxxxx.xxxxxx.xxxxx.xxxxx
Finished request 0
Any ideas???
Costas A. Christonis
Networking & Communications Centre
Gallos Campus - University of Crete
email: [EMAIL PROTECTED]
http://www.ucnet.uoc.gr/
���b��?���r��{�����r��y'���i��0���z����(�����ǫ��f�������������������������������������
