Unfortunately, I can't help with that one. It looks like you are using the reply attribute of Cisco-AVPair := "shell:priv-lvl=15". That reply attribute is being sent back, so you'll have to check the Cisco docs to see if its all setup correctly on the 29xx.
Found this on google, may help you with configuring the router. http://www.mail-archive.com/[EMAIL PROTECTED]/msg18034.html Regards On Mon, 12 Jul 2004, Robert Banniza wrote: > Here is what we are seeing now....The secret has been set and will allow > us to login but we are not getting any privileged level: > > > rad_recv: Access-Request packet from host 67.106.198.67:1645, id=15, > length=75 > NAS-IP-Address = 10.1.1.31 > NAS-Port = 1 > NAS-Port-Type = Virtual > User-Name = "homer" > Calling-Station-Id = "10.1.1.162" > User-Password = "t3stm3" > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "chap" returns noop for request 0 > modcall[authorize]: module "eap" returns noop for request 0 > rlm_realm: No '@' in User-Name = "homer", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 0 > users: Matched DEFAULT at 152 > users: Matched DEFAULT at 216 > modcall[authorize]: module "files" returns ok for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for homer > radius_xlat: '(&(ObjectClass=posixAccount)(uid=homer))' > radius_xlat: 'ou=people,dc=test,dc=net' > ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to jag.test.net:389, authentication 0 > rlm_ldap: bind as / to jag.test.net:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: performing search in ou=people,dc=test,dc=net, with filter > (&(ObjectClass=posixAccount)(uid=homer)) > rlm_ldap: looking for check items in directory... > rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21 > rlm_ldap: looking for reply items in directory... > rlm_ldap: extracted attribute Juniper-Local-User-Name from generic item > Juniper-Local-User-Name := tier1 > rlm_ldap: extracted attribute Cisco-AVPair from generic item > Cisco-AVPair := "shell:priv-lvl=15" > rlm_ldap: user homer authorized to use remote access > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 0 > modcall: group authorize returns ok for request 0 > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > modcall: entering group Auth-Type for request 0 > rlm_ldap: - authenticate > rlm_ldap: login attempt by "homer" with password "t3stm3" > rlm_ldap: user DN: uid=homer,ou=people,dc=test,dc=net > rlm_ldap: (re)connect to jag.test.net:389, authentication 1 > rlm_ldap: bind as uid=homer,ou=people,dc=test,dc=net/t3stm3 to > jag.test.net:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: user homer authenticated succesfully > modcall[authenticate]: module "ldap" returns ok for request 0 > modcall: group Auth-Type returns ok for request 0 > Sending Access-Accept of id 15 to 67.106.198.67:1645 > Juniper-Local-User-Name := "tier1" > Cisco-AVPair := "shell:priv-lvl=15" > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 15 with timestamp 40f2e98a > Nothing to do. Sleeping until we see a request. > > > > > > On Mon, Jul 12, 2004 at 02:29:28PM -0400, Dustin Doris wrote: > > You need to do what the debug message said and make sure your shared > > secret is correct. Check clients.conf in your raddb directory. > > > > WARNING: Unprintable characters in the password. ? Double-check the > > shared secret on the server and the NAS! > > > > > > On Mon, 12 Jul 2004, Robert Banniza wrote: > > > > > Here is what radiusd -X -A provides: > > > > > > rad_recv: Access-Request packet from host 67.106.198.67:1645, id=10, > > > length=75 > > > NAS-IP-Address = 11.9.67.177 > > > NAS-Port = 1 > > > NAS-Port-Type = Virtual > > > User-Name = "homer" > > > Calling-Station-Id = "10.1.1.162" > > > User-Password = "\334\303A_-VB/VJ N\017\230\217\317" > > > modcall: entering group authorize for request 0 > > > modcall[authorize]: module "preprocess" returns ok for request 0 > > > modcall[authorize]: module "chap" returns noop for request 0 > > > modcall[authorize]: module "eap" returns noop for request 0 > > > rlm_realm: No '@' in User-Name = "homer", looking up realm NULL > > > rlm_realm: No such realm "NULL" > > > modcall[authorize]: module "suffix" returns noop for request 0 > > > users: Matched DEFAULT at 152 > > > users: Matched DEFAULT at 216 > > > modcall[authorize]: module "files" returns ok for request 0 > > > modcall[authorize]: module "mschap" returns noop for request 0 > > > rlm_ldap: - authorize > > > rlm_ldap: performing user authorization for homer > > > radius_xlat: '(&(ObjectClass=posixAccount)(uid=homer))' > > > radius_xlat: 'ou=people,dc=test,dc=net' > > > ldap_get_conn: Got Id: 0 > > > rlm_ldap: attempting LDAP reconnection > > > rlm_ldap: (re)connect to jag.test.net:389, authentication 0 > > > rlm_ldap: bind as / to jag.test.net:389 > > > rlm_ldap: waiting for bind result ... > > > rlm_ldap: performing search in ou=people,dc=test,dc=net, with filter > > > (&(ObjectClass=posixAccount)(uid=homer)) > > > rlm_ldap: looking for check items in directory... > > > rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21 > > > rlm_ldap: looking for reply items in directory... > > > rlm_ldap: extracted attribute Juniper-Local-User-Name from generic item > > > Juniper-Local-User-Name := tier1 > > > rlm_ldap: extracted attribute Cisco-AVPair from generic item > > > Cisco-AVPair := "shell:priv-lvl=15" > > > rlm_ldap: user homer authorized to use remote access > > > ldap_release_conn: Release Id: 0 > > > modcall[authorize]: module "ldap" returns ok for request 0 > > > modcall: group authorize returns ok for request 0 > > > rad_check_password: Found Auth-Type LDAP > > > auth: type "LDAP" > > > modcall: entering group Auth-Type for request 0 > > > rlm_ldap: - authenticate > > > rlm_ldap: login attempt by "homer" with password "��A_-VB/VJ N???�" > > > rlm_ldap: user DN: uid=homer,ou=people,dc=test,dc=net > > > rlm_ldap: (re)connect to jag.test.net:389, authentication 1 > > > rlm_ldap: bind as uid=homer,ou=people,dc=test,dc=net/��A_-VB/VJ N???� > > > to jag.test.net:389 > > > rlm_ldap: waiting for bind result ... > > > modcall[authenticate]: module "ldap" returns reject for request 0 > > > modcall: group Auth-Type returns reject for request 0 > > > auth: Failed to validate the user. > > > WARNING: Unprintable characters in the password. ? Double-check the > > > shared secret on the server and the NAS! > > > Delaying request 0 for 1 seconds > > > Finished request 0 > > > Going to the next request > > > --- Walking the entire request list --- > > > Waking up in 1 seconds... > > > --- Walking the entire request list --- > > > Waking up in 1 seconds... > > > --- Walking the entire request list --- > > > Sending Access-Reject of id 10 to 67.106.198.67:1645 > > > Juniper-Local-User-Name := "tier1" > > > Cisco-AVPair := "shell:priv-lvl=15" > > > Waking up in 4 seconds... > > > --- Walking the entire request list --- > > > Cleaning up request 0 ID 10 with timestamp 40f2cbda > > > Nothing to do. Sleeping until we see a request. > > > > > > > > > On Mon, Jul 12, 2004 at 12:46:46PM -0400, Dustin Doris wrote: > > > > What about radiusd -x. Run Freeradius in debug mode. > > > > > > > > On Sun, 11 Jul 2004, Robert Banniza wrote: > > > > > > > > > Here is the debug output: > > > > > > > > > > 2d04h: AAA/MEMORY: create_user (0x20F7E20) user='' ruser='' port='tty1' > > > > > +rem_addr='10.1.1.162' authen_type=ASCII service= > > > > > LOGIN priv=1 > > > > > 2d04h: AAA/AUTHEN/START (1821432037): port='tty1' list='' action=LOGIN > > > > > +service=LOGIN > > > > > 2d04h: AAA/AUTHEN/START (1821432037): using "default" list > > > > > 2d04h: AAA/AUTHEN/START (1821432037): Method=radius (radius) > > > > > 2d04h: AAA/AUTHEN (1821432037): status = GETUSER > > > > > 2d04h: AAA/AUTHEN/CONT (1821432037): continue_login (user='(undef)') > > > > > 2d04h: AAA/AUTHEN (1821432037): status = GETUSER > > > > > 2d04h: AAA/AUTHEN (1821432037): Method=radius (radius) > > > > > 2d04h: AAA/AUTHEN (1821432037): status = GETPASS > > > > > 2d04h: AAA/AUTHEN/CONT (1821432037): continue_login (user='homer') > > > > > 2d04h: AAA/AUTHEN (1821432037): status = GETPASS > > > > > 2d04h: AAA/AUTHEN (1821432037): Method=radius (radius) > > > > > 2d04h: AAA/AUTHEN (1821432037): status = PASS > > > > > 2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): Port='tty1' list='' > > > > > service=EXEC > > > > > 2d04h: AAA/AUTHOR/EXEC: tty1 (3720401710) user='homer' > > > > > 2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): send AV service=shell > > > > > 2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): send AV cmd* > > > > > 2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): found list "default" > > > > > 2d04h: tty1 AAA/AUTHOR/EXEC (3720401710): Method=radius (radius) > > > > > 2d04h: AAA/AUTHOR (3720401710): Post authorization status = FAIL > > > > > 2d04h: AAA/AUTHOR/EXEC: Authorization FAILED > > > > > 2d04h: AAA/MEMORY: free_user (0x20F7E20) user='homer' ruser='' > > > > > port='tty1' > > > > > +rem_addr='10.1.1.162' authen_type=ASCII servi > > > > > ce=LOGIN priv=1 > > > > > Soutlake#2# > > > > > Soutlake#2# > > > > > Soutlake#2# > > > > > Soutlake#2# > > > > > Soutlake#2# > > > > > Soutlake#2# > > > > > Soutlake#2# > > > > > Soutlake#2# > > > > > Soutlake#2# > > > > > Soutlake#2# > > > > > Soutlake#2# > > > > > 2d04h: AAA: parse name=tty1 idb type=-1 tty=-1 > > > > > 2d04h: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 > > > > > +channel=0 > > > > > 2d04h: AAA/MEMORY: create_user (0x20F7C0C) user='' ruser='' port='tty1' > > > > > +rem_addr='10.1.1.162' authen_type=ASCII service= > > > > > LOGIN priv=1 > > > > > 2d04h: AAA/AUTHEN/START (2535633014): port='tty1' list='' action=LOGIN > > > > > +service=LOGIN > > > > > 2d04h: AAA/AUTHEN/START (2535633014): using "default" list > > > > > 2d04h: AAA/AUTHEN/START (2535633014): Method=radius (radius) > > > > > 2d04h: AAA/AUTHEN (2535633014): status = GETUSER > > > > > 2d04h: AAA/AUTHEN/CONT (2535633014): continue_login (user='(undef)') > > > > > 2d04h: AAA/AUTHEN (2535633014): status = GETUSER > > > > > 2d04h: AAA/AUTHEN (2535633014): Method=radius (radius) > > > > > 2d04h: AAA/AUTHEN (2535633014): status = GETPASS > > > > > 2d04h: AAA/AUTHEN/CONT (2535633014): continue_login (user='jessica') > > > > > 2d04h: AAA/AUTHEN (2535633014): status = GETPASS > > > > > 2d04h: AAA/AUTHEN (2535633014): Method=radius (radius) > > > > > 2d04h: AAA/AUTHEN (2535633014): status = PASS > > > > > 2d04h: tty1 AAA/AUTHOR/EXEC (1601631891): Port='tty1' list='' > > > > > service=EXEC > > > > > 2d04h: AAA/AUTHOR/EXEC: tty1 (1601631891) user='jessica' > > > > > 2d04h: tty1 AAA/AUTHOR/EXEC (1601631891): send AV service=shell > > > > > 2d04h: tty1 AAA/AUTHOR/EXEC (1601631891): send AV cmd* > > > > > 2d04h: tty1 AAA/AUTHOR/EXEC (1601631891): found list "default" > > > > > 2d04h: tty1 AAA/AUTHOR/EXEC (1601631891): Method=radius (radius) > > > > > 2d04h: AAA/AUTHOR (1601631891): Post authorization status = FAIL > > > > > 2d04h: AAA/AUTHOR/EXEC: Authorization FAILED > > > > > 2d04h: AAA/MEMORY: free_user (0x20F7C0C) user='jessica' ruser='' > > > > > port='tty1' > > > > > +rem_addr='10.1.1.162' authen_type=ASCII ser > > > > > vice=LOGIN priv=1 > > > > > > > > > > On Fri, Jul 09, 2004 at 12:42:05PM -0400, Dustin Doris wrote: > > > > > > What is the debug output? What happens when you try to login to the > > > > > > router? User denied? > > > > > > > > > > > > On Fri, 9 Jul 2004, Robert Banniza wrote: > > > > > > > > > > > > > Guys, > > > > > > > We are trying to allow users to authenticate to Cisco 26xx routers using > > > > > > > Freeradius with the rlm_ldap module (OpenLDAP). We would like some of > > > > > > > these users to be able to log in with enable privileges. The following > > > > > > > is what we have done to try this with no avail. The following is a > > > > > > > sample ldif entry: > > > > > > > > > > > > > > ################################################################# > > > > > > > dn: uid=homer, ou=people, dc=test, dc=net > > > > > > > objectclass: person > > > > > > > objectclass: radiusprofile > > > > > > > objectclass: uidObject > > > > > > > objectClass: inetOrgPerson > > > > > > > objectClass: posixAccount > > > > > > > objectClass: extensibleObject > > > > > > > cn: Homer Simpson > > > > > > > sn: Simpson > > > > > > > loginShell: /bin/bash > > > > > > > userpassword: {SSHA}fghkjfghkhgkfhgrofZyn2u9yiAAxbMP > > > > > > > uidnumber: 2001 > > > > > > > gidnumber: 20 > > > > > > > homeDirectory: /home/homer > > > > > > > uid: homer > > > > > > > shadowLastChange: 10877 > > > > > > > shadowMin: 0 > > > > > > > shadowMax: 999999 > > > > > > > shadowWarning: 7 > > > > > > > shadowInactive: -1 > > > > > > > shadowExpire: -1 > > > > > > > shadowFlag: 0 > > > > > > > radiusAuthType: LDAP > > > > > > > radiusReplyItem: Juniper-Local-User-Name := tier1 > > > > > > > radiusReplyItem: Cisco-AVPair := "shell:priv-lvl=15" > > > > > > > radiusprofileDN: uid=homer, ou=people, dc=test, dc=net > > > > > > > ################################################################# > > > > > > > > > > > > > > The following is what we have on the router: > > > > > > > > > > > > > > ################################################################# > > > > > > > aaa new-model > > > > > > > aaa authentication login default group radius enable > > > > > > > aaa authorization exec default group radius > > > > > > > > > > > > > > enable secret password > > > > > > > > > > > > > > radius-server host 67.106.198.70 auth-port 1812 acct-port 1813 > > > > > > > radius-server retransmit 3 > > > > > > > radius-server key testing123 > > > > > > > ################################################################# > > > > > > > > > > > > > > What else are we missing? Any help would be appreciated. > > > > > > > > > > > > > > Robert > > > > > > > > > > > > > > - > > > > > > > List info/subscribe/unsubscribe? See > > > > > > > http://www.freeradius.org/list/users.html > > > > > > > > > > > > > > > > > > > - > > > > > > List info/subscribe/unsubscribe? See > > > > > > http://www.freeradius.org/list/users.html > > > > > > > > > > > > > > > > - > > > > > List info/subscribe/unsubscribe? See > > > > > http://www.freeradius.org/list/users.html > > > > > > > > > > > > > - > > > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > > > > - > > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
