Hello Telmo -
Thanks for your mail.
I think this is a Cisco issue, as the debug appears to show that radius is doing the same thing in both cases.
Perhaps it is not possible to control the console port in this way?
Check with your Cisco support person or the Cisco web site.
regards
Hugh
On Tuesday, Jul 15, 2003, at 00:40 Australia/Melbourne, OLIVEIRA Telmo Jose wrote:
Hi.
I want to set up an exec authentication and authorization system in my cisco
routers network using radiator. When a user logs in, he/she gets privilege
level 15. As last resort, it is used a locally stored username/password.
All works ok when i connect via telnet but when i try access throught the
console, i can't get privilege level 15, only privilege level 1... The only
way to get privileged access is to do a telnet to an IP in the same router.
Here's the info:
1. Router:
----------------------------------------------------------------------- -----
---
aaa new-model
!
aaa authentication login default group radius
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting commands 1 default start-stop group radius
aaa accounting commands 2 default start-stop group radius
aaa accounting commands 3 default start-stop group radius
aaa accounting commands 4 default start-stop group radius
aaa accounting commands 5 default start-stop group radius
aaa accounting commands 6 default start-stop group radius
aaa accounting commands 7 default start-stop group radius
aaa accounting commands 8 default start-stop group radius
aaa accounting commands 9 default start-stop group radius
aaa accounting commands 10 default start-stop group radius
aaa accounting commands 11 default start-stop group radius
aaa accounting commands 12 default start-stop group radius
aaa accounting commands 13 default start-stop group radius
aaa accounting commands 14 default start-stop group radius
aaa accounting commands 15 default start-stop group radius
aaa session-id common
enable secret *** SECRET PASSWORD ***
!
username *** LOCAL USERNAME*** password *** LOCAL PASSWORD ***
!
radius-server host *** RADIUS SERVER IP ADDRESS*** auth-port 1645
acct-port 1646
radius-server retransmit 3
radius-server key *** RADIUS KEY ***
!
line con 0
line aux 0
line vty 0 4
!
end
2. Radius usersdb
----------------------------------------------------------------------- -----
---
*** MY USERNAME *** Encrypted-Password = "*** MY ENCRIPTED PASSWORD
***"
Service-Type = NAS-Prompt-User, cisco-avpair = shell:priv-lvl=15
3. Debug radius - Telnet access (got privilege level 15):
----------------------------------------------------------------------- -----
---
RADIUS/ENCODE(00000016): ask "Username: "
RADIUS/ENCODE(00000016): send packet; GET_USER
RADIUS/ENCODE(00000016): ask "Password: "
RADIUS/ENCODE(00000016): send packet; GET_PASSWORD
RADIUS: AAA Unsupported [142] 4
RADIUS: 74 74 [tt]
RADIUS: Pick NAS IP for uid=22 tableid=0 cfg_addr=0.0.0.0 best_addr=***
ROUTER IP ADDRESS ***
RADIUS/ENCODE(00000016): acct_session_id: 41
RADIUS(00000016): sending
RADIUS(00000016): Send to unknown id 21645/77 *** RADIUS SERVER IP
ADDRESS ***:1645, Access-Request, len 78
RADIUS: authenticator 2B 89 1B D4 73 16 55 71 - 9B DB 35 6E 55 0B 78 A5
RADIUS: User-Name [1] 7 "*** MY USERNAME ***"
RADIUS: User-Password [2] 18 *
RADIUS: NAS-Port [5] 6 6
RADIUS: NAS-Port-Type [61] 6 Virtual [5]
RADIUS: Calling-Station-Id [31] 15 "*** MY PC's IP ADDRESS ***"
RADIUS: NAS-IP-Address [4] 6 *** ROUTER IP ADDRESS ***
RADIUS: Received from id 21645/77 *** RADIUS SERVER IP ADDRESS ***:1645,
Access-Accept, len 51
RADIUS: authenticator 89 A8 F3 73 2A 89 6E B4 - 7F 7C 30 89 02 20 12 4D
RADIUS: Service-Type [6] 6 NAS Prompt [7]
RADIUS: Vendor, Cisco [26] 25
RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"
RADIUS(00000016): Received from id 21645/77
RADIUS: Pick NAS IP for uid=22 tableid=0 cfg_addr=0.0.0.0 best_addr=***
ROUTER IP ADDRESS ***
4. Debug radius - Console access (got privilege level 1):
----------------------------------------------------------------------- -----
---
RADIUS/ENCODE(00000015): ask "Username: "
RADIUS/ENCODE(00000015): send packet; GET_USER
RADIUS/ENCODE(00000015): ask "Password: "
RADIUS/ENCODE(00000015): send packet; GET_PASSWORD
RADIUS: AAA Unsupported [142] 4
RADIUS: 74 74 [tt]
RADIUS: Pick NAS IP for uid=21 tableid=0 cfg_addr=0.0.0.0 best_addr=***
ROUTER IP ADDRESS ***
RADIUS/ENCODE(00000015): acct_session_id: 40
RADIUS(00000015): sending
RADIUS(00000015): Send to unknown id 21645/74 *** RADIUS SERVER IP
ADDRESS ***:1645, Access-Request, len 70
RADIUS: authenticator E8 E1 D9 04 B1 C1 C4 39 - 0D C3 55 D5 77 8B 6A 6F
RADIUS: User-Name [1] 7 "*** MY USERNAME ***"
RADIUS: User-Password [2] 18 *
RADIUS: NAS-Port [5] 6 0
RADIUS: NAS-Port-Type [61] 6 Async [0]
RADIUS: Calling-Station-Id [31] 7 "async"
RADIUS: NAS-IP-Address [4] 6 *** ROUTER IP ADDRESS ***
RADIUS: Received from id 21645/74 *** RADIUS SERVER IP ADDRESS ***:1645,
Access-Accept, len 51
RADIUS: authenticator B7 C9 7B 36 4D BC 0A 74 - 38 AE 18 71 0C E9 5B C5
RADIUS: Service-Type [6] 6 NAS Prompt [7]
RADIUS: Vendor, Cisco [26] 25
RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"
RADIUS(00000015): Received from id 21645/74
RADIUS: Pick NAS IP for uid=21 tableid=0 cfg_addr=0.0.0.0 best_addr=***
ROUTER IP ADDRESS ***
Any ideas?
Thanks in Advance
Telmo Oliveira CCNP - CCDP Portugal === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
