Cisco auth-proxy and cisco-avpair proxyacl

Wed, 20 Jul 2005 13:25:16 -0700


Hi there,
I am running FreeRADIUS Version 1.0.4 on Solaris 8 for RADIUS services.
Then I have a Cisco 3660 configured for inbound https auth-proxy. IOS on router -> c3660-ik9o3s-mz.123-14.T.bin

% users
<snip>
#
test  Auth-Type := Local, User-Password == "test1234"
     Service-Type = Outbound,
     cisco-avpair = "auth-proxy:priv-lvl=15",
     cisco-avpair += "auth-proxy:proxyacl#1=permit tcp host 12.13.14.15 host 21.31.41.51 eq 22"
#


Problem: user test get successful auth-prox authorization but the dynamic acl is not used by the router.
FYI - The RADIUS server passes the ACL and he router receives the ACL (debug not reported in this email).

Can you help me? Thanks a lot.

Full debug on the server:

# radiusd -X
<snip>
rad_recv: Access-Request packet from host 131.176.131.40:1645, id=23, length=102
       User-Name = "test"
       Reply-Message = "Password: "
       User-Password = "test1234"
       NAS-Port = 226
       NAS-Port-Id = "tty226"
       NAS-Port-Type = Virtual
       Calling-Station-Id = "xx.xx.xx.xx"
       NAS-IP-Address = xx.xx.xx.xx
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
 modcall[authorize]: module "preprocess" returns ok for request 0
 modcall[authorize]: module "chap" returns noop for request 0
 modcall[authorize]: module "mschap" returns noop for request 0
   rlm_realm: No '@' in User-Name = "adalessa", looking up realm NULL
   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop for request 0
 rlm_eap: No EAP-Message, not doing EAP
 modcall[authorize]: module "eap" returns noop for request 0
   users: Matched entry adalessa at line 98
 modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
 rad_check_password:  Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 23 to xx.xx.xx.xx:1645
       Cisco-AVPair = "auth-proxy:priv-lvl=15"
       Cisco-AVPair += "auth-proxy:proxyacl#1=permit tcp host 12.13.14.15 host 21.31.41.51 eq 22"
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 23 with timestamp 42dea17c
Nothing to do.  Sleeping until we see a request.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to