On Tue, Jul 20, 2004 at 08:35:59AM -0500, Robert Banniza wrote: > On Tue, Jul 20, 2004 at 11:00:18PM +1000, Paul Hampson wrote: > > On Tue, Jul 20, 2004 at 06:35:32AM -0500, Robert Banniza wrote: > > > This we have done. They mentioned that Unisphere-Init-CLI-Access-Level > > > should work as well as ERX-Cli-Initial-Access-Level or > > > Juniper-Initial-CLI-Access-Level. What I don't understand is how the > > > Juniper is able to parse the three (as they are different names) and > > > understand them. I do not have anything in ldap.attrmap that maps one to > > > the other. > > > > It doesn't. The RADIUS server (FreeRADIUS, here) turns the names into > > numbers using the dictionary files, and sends the numbered attributes > > to the NAS. > > OK, that makes more sense. Here is what we are seeing in the logs when > trying to use ERX-Cli-Initial-Access-Level:
> DEBUG 07/19/2004 20:52:54 EDT radiusAttributes (): USER ATTRIBUTES: > (homer) > DEBUG 07/19/2004 20:52:54 EDT radiusAttributes (): service type > attr: 6 > DEBUG 07/19/2004 20:52:54 EDT radiusAttributes (): admin all VR > access (vsa) attr: 1 > DEBUG 07/19/2004 20:52:54 EDT radiusAttributes (): alternate admin > auth level (vsa) attr: 15 > DEBUG 07/19/2004 20:52:54 EDT radiusClient (): dropping [0009] > attribute, un-supported data <shell:priv-lvl=15> OK, it seems the initial admin level attribute's not getting through... I'd suggest packet-sniffing the RADIUS packets, and (assuming your sniffer can disassemble RADIUS packets) confirm that the packet on the wire includes the VSA attribute Vendor 4874 (0x130a) Attribute 18 (0x12). We can see that Vender 4874 Attribute 20 (ERX-Alternate-Cli-Access-Level) is getting through fine. > INFO 07/19/2004 20:52:54 EDT aaaUserAccess (): User: homer, access > granted [trim] > Here is the ldap schema: [trim] > radiusReplyItem: Juniper-Local-User-Name := tier3 > radiusReplyItem: Cisco-AVPair := "shell:priv-lvl=15" > radiusReplyItem: ERX-Cli-Initial-Access-Level := "5" > radiusReplyItem: ERX-Alternate-Cli-Access-Level := "15" > radiusReplyItem: ERX-CLI-Allow-All-VR-Access := 1 > radiusprofileDN: uid=homer, ou=people, dc=test, dc=net -- Paul "TBBle" Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
