Re: Authenticating to Cisco 29xx using OpenLDAP and FreeRadius

Mon, 12 Jul 2004 09:47:39 -0700 

What about radiusd -x.  Run Freeradius in debug mode.

On Sun, 11 Jul 2004, Robert Banniza wrote:

> Here is the debug output:
>
> 2d04h: AAA/MEMORY: create_user (0x20F7E20) user='' ruser='' port='tty1'
> +rem_addr='10.1.1.162' authen_type=ASCII service=
> LOGIN priv=1
> 2d04h: AAA/AUTHEN/START (1821432037): port='tty1' list='' action=LOGIN
> +service=LOGIN
> 2d04h: AAA/AUTHEN/START (1821432037): using "default" list
> 2d04h: AAA/AUTHEN/START (1821432037): Method=radius (radius)
> 2d04h: AAA/AUTHEN (1821432037): status = GETUSER
> 2d04h: AAA/AUTHEN/CONT (1821432037): continue_login (user='(undef)')
> 2d04h: AAA/AUTHEN (1821432037): status = GETUSER
> 2d04h: AAA/AUTHEN (1821432037): Method=radius (radius)
> 2d04h: AAA/AUTHEN (1821432037): status = GETPASS
> 2d04h: AAA/AUTHEN/CONT (1821432037): continue_login (user='homer')
> 2d04h: AAA/AUTHEN (1821432037): status = GETPASS
> 2d04h: AAA/AUTHEN (1821432037): Method=radius (radius)
> 2d04h: AAA/AUTHEN (1821432037): status = PASS
> 2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): Port='tty1' list=''
> service=EXEC
> 2d04h: AAA/AUTHOR/EXEC: tty1 (3720401710) user='homer'
> 2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): send AV service=shell
> 2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): send AV cmd*
> 2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): found list "default"
> 2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): Method=radius (radius)
> 2d04h: AAA/AUTHOR (3720401710): Post authorization status = FAIL
> 2d04h: AAA/AUTHOR/EXEC: Authorization FAILED
> 2d04h: AAA/MEMORY: free_user (0x20F7E20) user='homer' ruser=''
> port='tty1'
> +rem_addr='10.1.1.162' authen_type=ASCII servi
> ce=LOGIN priv=1
> Soutlake#2#
> Soutlake#2#
> Soutlake#2#
> Soutlake#2#
> Soutlake#2#
> Soutlake#2#
> Soutlake#2#
> Soutlake#2#
> Soutlake#2#
> Soutlake#2#
> Soutlake#2#
> 2d04h: AAA: parse name=tty1 idb type=-1 tty=-1
> 2d04h: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1
> +channel=0
> 2d04h: AAA/MEMORY: create_user (0x20F7C0C) user='' ruser='' port='tty1'
> +rem_addr='10.1.1.162' authen_type=ASCII service=
> LOGIN priv=1
> 2d04h: AAA/AUTHEN/START (2535633014): port='tty1' list='' action=LOGIN
> +service=LOGIN
> 2d04h: AAA/AUTHEN/START (2535633014): using "default" list
> 2d04h: AAA/AUTHEN/START (2535633014): Method=radius (radius)
> 2d04h: AAA/AUTHEN (2535633014): status = GETUSER
> 2d04h: AAA/AUTHEN/CONT (2535633014): continue_login (user='(undef)')
> 2d04h: AAA/AUTHEN (2535633014): status = GETUSER
> 2d04h: AAA/AUTHEN (2535633014): Method=radius (radius)
> 2d04h: AAA/AUTHEN (2535633014): status = GETPASS
> 2d04h: AAA/AUTHEN/CONT (2535633014): continue_login (user='jessica')
> 2d04h: AAA/AUTHEN (2535633014): status = GETPASS
> 2d04h: AAA/AUTHEN (2535633014): Method=radius (radius)
> 2d04h: AAA/AUTHEN (2535633014): status = PASS
> 2d04h: tty1 AAA/AUTHOR/EXEC (1601631891): Port='tty1' list=''
> service=EXEC
> 2d04h: AAA/AUTHOR/EXEC: tty1 (1601631891) user='jessica'
> 2d04h: tty1 AAA/AUTHOR/EXEC (1601631891): send AV service=shell
> 2d04h: tty1 AAA/AUTHOR/EXEC (1601631891): send AV cmd*
> 2d04h: tty1 AAA/AUTHOR/EXEC (1601631891): found list "default"
> 2d04h: tty1 AAA/AUTHOR/EXEC (1601631891): Method=radius (radius)
> 2d04h: AAA/AUTHOR (1601631891): Post authorization status = FAIL
> 2d04h: AAA/AUTHOR/EXEC: Authorization FAILED
> 2d04h: AAA/MEMORY: free_user (0x20F7C0C) user='jessica' ruser=''
> port='tty1'
> +rem_addr='10.1.1.162' authen_type=ASCII ser
> vice=LOGIN priv=1
>
> On Fri, Jul 09, 2004 at 12:42:05PM -0400, Dustin Doris wrote:
> > What is the debug output?  What happens when you try to login to the
> > router?  User denied?
> >
> > On Fri, 9 Jul 2004, Robert Banniza wrote:
> >
> > > Guys,
> > > We are trying to allow users to authenticate to Cisco 26xx routers using
> > > Freeradius with the rlm_ldap module (OpenLDAP). We would like some of
> > > these users to be able to log in with enable privileges. The following
> > > is what we have done to try this with no avail. The following is a
> > > sample ldif entry:
> > >
> > > #################################################################
> > > dn: uid=homer, ou=people, dc=test, dc=net
> > > objectclass: person
> > > objectclass: radiusprofile
> > > objectclass: uidObject
> > > objectClass: inetOrgPerson
> > > objectClass: posixAccount
> > > objectClass: extensibleObject
> > > cn: Homer Simpson
> > > sn: Simpson
> > > loginShell: /bin/bash
> > > userpassword: {SSHA}fghkjfghkhgkfhgrofZyn2u9yiAAxbMP
> > > uidnumber: 2001
> > > gidnumber: 20
> > > homeDirectory: /home/homer
> > > uid: homer
> > > shadowLastChange: 10877
> > > shadowMin: 0
> > > shadowMax: 999999
> > > shadowWarning: 7
> > > shadowInactive: -1
> > > shadowExpire: -1
> > > shadowFlag: 0
> > > radiusAuthType: LDAP
> > > radiusReplyItem: Juniper-Local-User-Name := tier1
> > > radiusReplyItem: Cisco-AVPair := "shell:priv-lvl=15"
> > > radiusprofileDN: uid=homer, ou=people, dc=test, dc=net
> > > #################################################################
> > >
> > > The following is what we have on the router:
> > >
> > > #################################################################
> > > aaa new-model
> > > aaa authentication login default group radius enable
> > > aaa authorization exec default group radius
> > >
> > > enable secret password
> > >
> > > radius-server host 67.106.198.70 auth-port 1812 acct-port 1813
> > > radius-server retransmit 3
> > > radius-server key testing123
> > > #################################################################
> > >
> > > What else are we missing? Any help would be appreciated.
> > >
> > > Robert
> > >
> > > -
> > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> > >
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to