Re: NAS not accepting the Access-Accept?
Matt Ashfield wrote: HI, I have a network switch that I'm trying to configure to allow Console port authentication via RADIUS. In the documentation of the switch it says: To provide each user with appropriate levels of access to the switch, set the following username attributes on your RADIUS server: - R/W access -- Set the Service-Type field value to Administrative - Read-Only -- set the Service-Type field value to NAS-Prompt So, in my users file, I have defined a user: testuser NAS-IP-Address == 172.16.8.30, Cleartext-Password := testing, Service-Type ==Administrative-User Which matches if there's a request for administrative user. You also have to acknowledge that request in the response, otherwise the NAS will not let the administrator in: testuser NAS-IP-Address == 172.16.8.30, Cleartext-Password := testing, Service-Type ==Administrative-User Service-Type := Administrative-User However, when I run a packet capture, I see that no Radius attributes are being passed back to the NAS device. Shouldn't I be seeing the Administrative-User attribute? If you don't tell the server to send it back, no. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS not accepting the Access-Accept?
testuser NAS-IP-Address == 172.16.8.30, Cleartext-Password := testing, Service-Type ==Administrative-User Service-Type := Administrative-User Hmm, not all NAS will request Service-Type 6 (Administrative-User) all ours Request Service-Type 7 (NAS-Prompt-User) . But still respect the access level sent back in the reply... To make matters even more interesting, ours support user elevation via the command line, in which case it will sent a request with Service-Type 6 ... So for your final implementation , it's best to support both and then decide on a access level on a per user basis. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS not accepting the Access-Accept?
Ok thanks! I am definitely seeing the NAS request Administrative-User in the Access-Request packet. I guess I wsen't returning it! Thanks for your help. Matt -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: April 24, 2007 3:21 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: NAS not accepting the Access-Accept? Matt Ashfield wrote: HI, I have a network switch that I'm trying to configure to allow Console port authentication via RADIUS. In the documentation of the switch it says: To provide each user with appropriate levels of access to the switch, set the following username attributes on your RADIUS server: - R/W access -- Set the Service-Type field value to Administrative - Read-Only -- set the Service-Type field value to NAS-Prompt So, in my users file, I have defined a user: testuser NAS-IP-Address == 172.16.8.30, Cleartext-Password := testing, Service-Type ==Administrative-User Which matches if there's a request for administrative user. You also have to acknowledge that request in the response, otherwise the NAS will not let the administrator in: testuser NAS-IP-Address == 172.16.8.30, Cleartext-Password := testing, Service-Type ==Administrative-User Service-Type := Administrative-User However, when I run a packet capture, I see that no Radius attributes are being passed back to the NAS device. Shouldn't I be seeing the Administrative-User attribute? If you don't tell the server to send it back, no. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS not accepting the Access-Accept?
Hi, In the documentation of the switch it says: To provide each user with appropriate levels of access to the switch, set the following username attributes on your RADIUS server: - R/W access -- Set the Service-Type field value to Administrative - Read-Only -- set the Service-Type field value to NAS-Prompt So, in my users file, I have defined a user: testuser NAS-IP-Address == 172.16.8.30, Cleartext-Password := testing, Service-Type ==Administrative-User testuser NAS-IP-Address == 172.16.8.30, Cleartext-Password := testing, Service-Type = Administrative-User though if the server doesnt understand that attribute you may need to add it to the dictionary file however, another method to use is use one of the other modules - eg the PERL module , as part of authorization. its trivial to then check the NAS, the user and then assign/add new attributes. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html