I am having trouble with exec authorization when I telnet to a Cisco 2500
router
which is configured for AAA against my FreeRADIUS box (version 1.0.0-pre0).
With the following configuration on my router:
aaa new-model
aaa authentication login vty-in group radius local
aaa authentication login console-in group radius local
aaa authentication enable default group radius enable
aaa authentication ppp default group radius local
aaa accounting exec default start-stop group radius
aaa accounting commands 15 default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
aaa authorization exec default group radius local
I have the following problem:
$ telnet toprouter
Trying 172.20.1.10...
Connected to toprouter.localdomain (172.20.1.10).
Escape character is '^]'.
Username: topruser
Password:
% Authorization failed.
Connection closed by foreign host.
`debug aaa authorization` shows:
TopRouter#
01:10:33: AAA: parse name=tty19 idb type=-1 tty=-1
01:10:33: AAA: name=tty19 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=19
channel=0
01:10:33: AAA/MEMORY: create_user (0x652E90) user='' ruser='' port='tty19'
rem_addr='172.20.1.200' authen_type=ASCII service=LOGIN
priv=1 initial_task_id='0'
01:10:41: tty19 AAA/AUTHOR/EXEC (1475418648): Port='tty19' list=''
service=EXEC
01:10:41: AAA/AUTHOR/EXEC: tty19 (1475418648) user='topruser'
01:10:41: tty19 AAA/AUTHOR/EXEC (1475418648): send AV service=shell
01:10:41: tty19 AAA/AUTHOR/EXEC (1475418648): send AV cmd*
01:10:41: tty19 AAA/AUTHOR/EXEC (1475418648): found list "default"
01:10:41: tty19 AAA/AUTHOR/EXEC (1475418648): Method=radius (radius)
01:10:41: AAA/AUTHOR (1475418648): Post authorization status = FAIL
01:10:41: AAA/AUTHOR/EXEC: Authorization FAILED
01:10:43: AAA/MEMORY: free_user (0x652E90) user='topruser' ruser=''
port='tty19' rem_addr='172.20.1.200' authen_type=ASCII service
=LOGIN priv=1
And the debug output from freeradius daemon shows:
rad_recv: Access-Request packet from host 172.20.1.10:1645, id=49, length=80
NAS-IP-Address = 172.20.1.10
NAS-Port = 19
NAS-Port-Type = Virtual
User-Name = "topruser"
Calling-Station-Id = "172.20.1.200"
User-Password = "t1e2s3t4"
modcall: entering group authorize for request 49
modcall[authorize]: module "preprocess" returns ok for request 49
modcall[authorize]: module "chap" returns noop for request 49
modcall[authorize]: module "mschap" returns noop for request 49
rlm_realm: No '@' in User-Name = "topruser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 49
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 49
users: Matched DEFAULT at 164
modcall[authorize]: module "files" returns ok for request 49
modcall: group authorize returns ok for request 49
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate for request 49
modcall[authenticate]: module "unix" returns ok for request 49
modcall: group authenticate returns ok for request 49
Sending Access-Accept of id 49 to 172.20.1.10:1645
Finished request 49
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
If I remove the "aaa authorization exec default group radius local"
entry on the router, I can get in fine. I should note that
authentication works A-OK with my freeradius box. Its the authorization
that is giving me issues.
I looked on the net and newsgroups for this issue, and also a few
people have had the same problem with other versions of freeradius and
Cisco IOS, no clear resolution was given.
Thanks!
--john
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
