I have already provided such output in my original posting. Please read my
posting again - thoroughly.
Here is another instance of radiusd debug output (again, similar to my orig.
posting):
rad_recv: Access-Request packet from host 172.20.1.10:1645, id=61, length=80
NAS-IP-Address = 172.20.1.10
NAS-Port = 19
NAS-Port-Type = Virtual
User-Name = "topruser"
Calling-Station-Id = "172.20.1.200"
User-Password = "t1e2s3t4"
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "topruser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched DEFAULT at 164
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate for request 0
modcall[authenticate]: module "unix" returns ok for request 0
modcall: group authenticate returns ok for request 0
Sending Access-Accept of id 61 to 172.20.1.10:1645
Finished request 0
Going to the next request
If use either one of the following aaa authorization entries on the router,
authorization works fine:
aaa authorization exec default local
(or)
aaa authorization exec default if-authenticated local
In my users file, I have simply:
DEFAULT Auth-Type = System
Fall-Through = 1
as the user "topruser" is in the freeradius server's /etc/passwd file.
Again, authentication for this user via
freeradius works.
But "aaa authorization exec default group radius local" fails. I have also
looked at tcpdump network traces of the failures, and they reveal nothing.
The issue is with freeradius, perhaps a configuration I am missing. I have
read about profiles that need to be added to a RADIUS server for
authorization, but I have failed to find any freeradius-related
documentation relating to such (not even in the O'Reilly book).
--john
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf
> Of Milver
> S. Nisay
> Sent: Saturday, June 05, 2004 6:29 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Authorization not working w/ Cisco
>
>
> better to show radiusd -X with the case WHEN you cannot get
> it., that will
> help isolating the problem.
> //milver
> ----- Original Message -----
> From: "John Sasso Jr" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Saturday, June 05, 2004 2:56 PM
> Subject: RE: Authorization not working w/ Cisco
>
>
> > This does not answer my question, which IS related to
> freeradius. I have
> > gone through the O'Reilly "RADIUS" book, which does a good job at
> explaining
> > implementing Authentication and Accounting with freeradius,
> but neglects
> > Authorization (which is what I am trying to do). Again, I
> am trying to
> > implement authorization through RADIUS, not local to the
> Cisco router
> > itself. I gave the exec issue as one example; I had a
> similar issue with
> > network as well (authorization only, NOT accounting and
> authentication).
> >
> > Thanks --john
> >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] Behalf
> > > Of Milver
> > > S. Nisay
> > > Sent: Friday, June 04, 2004 9:44 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: Authorization not working w/ Cisco
> > >
> > >
> > > >
> > > > If I remove the "aaa authorization exec default group
> radius local"
> > > > entry on the router, I can get in fine. I should note that
> > > > authentication works A-OK with my freeradius box. Its the
> > > authorization
> > > > that is giving me issues.
> > >
> > > this happens to be cisco related question and be directed to
> > > cisco search
> > > link
> > > anyway, this works for me, have u tried this before since its
> > > authorization
> > > issue accdg to you.
> > >
> > > aaa authorization exec default local
> > > aaa authorization network default local group radius
> > >
> > > here is the link to look for it if it didnt work for you
> > > http://www.cisco.com/pcgi-bin/search/search.pl?searchPhrase=ro
> > ute-cache&nv=S
> >
> earch+All+cisco.com%23%23cisco.com&nv=Technical+Support+%26+do
cumentation%23
> >
> %23cisco.com%23TSD&language=en&country=US&accessLevel=Guest&si
> teToSearch=cis
> > co.com
> >
> > u can
> >
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
