RE: NAS not accepting the Access-Accept?
Ok thanks! I am definitely seeing the NAS request Administrative-User in the Access-Request packet. I guess I wsen't returning it! Thanks for your help. Matt -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: April 24, 2007 3:21 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: NAS not accepting the Access-Accept? Matt Ashfield wrote: > HI, > > I have a network switch that I'm trying to configure to allow Console port > authentication via RADIUS. > > In the documentation of the switch it says: > "To provide each user with appropriate levels of access to the switch, set > the following username attributes on your RADIUS server: > - R/W access -- Set the Service-Type field value to Administrative > - Read-Only -- set the Service-Type field value to NAS-Prompt" > > So, in my users file, I have defined a user: > "testuser" NAS-IP-Address == "172.16.8.30", Cleartext-Password := > "testing", Service-Type =="Administrative-User" Which matches if there's a request for administrative user. You also have to acknowledge that request in the response, otherwise the NAS will not let the administrator in: "testuser" NAS-IP-Address == "172.16.8.30", Cleartext-Password := "testing", Service-Type =="Administrative-User" Service-Type := "Administrative-User" > However, when I run a packet capture, I see that no Radius attributes are > being passed back to the NAS device. Shouldn't I be seeing the > Administrative-User attribute? If you don't tell the server to send it back, no. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS not accepting the Access-Accept?
> "testuser" NAS-IP-Address == "172.16.8.30", Cleartext-Password := > "testing", Service-Type =="Administrative-User" > Service-Type := "Administrative-User" > > Hmm, not all NAS will request Service-Type 6 (Administrative-User) all ours Request Service-Type 7 (NAS-Prompt-User) . But still respect the access level sent back in the reply... To make matters even more interesting, ours support user elevation via the command line, in which case it will sent a request with Service-Type 6 ... So for your final implementation , it's best to support both and then decide on a access level on a per user basis. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS not accepting the Access-Accept?
Matt Ashfield wrote: > HI, > > I have a network switch that I'm trying to configure to allow Console port > authentication via RADIUS. > > In the documentation of the switch it says: > "To provide each user with appropriate levels of access to the switch, set > the following username attributes on your RADIUS server: > - R/W access -- Set the Service-Type field value to Administrative > - Read-Only -- set the Service-Type field value to NAS-Prompt" > > So, in my users file, I have defined a user: > "testuser" NAS-IP-Address == "172.16.8.30", Cleartext-Password := > "testing", Service-Type =="Administrative-User" Which matches if there's a request for administrative user. You also have to acknowledge that request in the response, otherwise the NAS will not let the administrator in: "testuser" NAS-IP-Address == "172.16.8.30", Cleartext-Password := "testing", Service-Type =="Administrative-User" Service-Type := "Administrative-User" > However, when I run a packet capture, I see that no Radius attributes are > being passed back to the NAS device. Shouldn't I be seeing the > Administrative-User attribute? If you don't tell the server to send it back, no. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS not accepting the Access-Accept?
Hi, > In the documentation of the switch it says: > "To provide each user with appropriate levels of access to the switch, set > the following username attributes on your RADIUS server: > - R/W access -- Set the Service-Type field value to Administrative > - Read-Only -- set the Service-Type field value to NAS-Prompt" > > So, in my users file, I have defined a user: > "testuser" NAS-IP-Address == "172.16.8.30", Cleartext-Password := > "testing", Service-Type =="Administrative-User" "testuser" NAS-IP-Address == "172.16.8.30", Cleartext-Password := "testing", Service-Type = "Administrative-User" though if the server doesnt understand that attribute you may need to add it to the dictionary file however, another method to use is use one of the other modules - eg the PERL module , as part of authorization. its trivial to then check the NAS, the user and then assign/add new attributes. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS not accepting the Access-Accept?
HI, I have a network switch that I'm trying to configure to allow Console port authentication via RADIUS. In the documentation of the switch it says: "To provide each user with appropriate levels of access to the switch, set the following username attributes on your RADIUS server: - R/W access -- Set the Service-Type field value to Administrative - Read-Only -- set the Service-Type field value to NAS-Prompt" So, in my users file, I have defined a user: "testuser" NAS-IP-Address == "172.16.8.30", Cleartext-Password := "testing", Service-Type =="Administrative-User" When I run in debug mode, I get the following in my log, which implies to me that the user is successfully authorized and the Access-Accept message is being sent back. Mon Apr 23 14:38:15 2007 : Debug: rlm_pap: login attempt with password testing Mon Apr 23 14:38:15 2007 : Debug: rlm_pap: Using clear text password "testing". Mon Apr 23 14:38:15 2007 : Debug: rlm_pap: User authenticated succesfully Mon Apr 23 14:38:15 2007 : Debug: modsingle[authenticate]: returned from pap (rlm_pap) for request 0 Mon Apr 23 14:38:15 2007 : Debug: modcall[authenticate]: module "pap" returns ok for request 0 Mon Apr 23 14:38:15 2007 : Debug: modcall: leaving group PAP (returns ok) for request 0 Sending Access-Accept of id 16 to 172.16.8.30 port 2048 However, when I run a packet capture, I see that no Radius attributes are being passed back to the NAS device. Shouldn't I be seeing the Administrative-User attribute? Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
