(RADIATOR) Cisco console privilege level
OLIVEIRA Telmo Jose
tjoliveira at novis.pt
Mon Jul 14 09:40:10 CDT 2003
Hi.
I want to set up an exec authentication and authorization system in my cisco
routers network using radiator. When a user logs in, he/she gets privilege
level 15. As last resort, it is used a locally stored username/password.
All works ok when i connect via telnet but when i try access throught the
console, i can't get privilege level 15, only privilege level 1... The only
way to get privileged access is to do a telnet to an IP in the same router.
Here's the info:
1. Router:
----------------------------------------------------------------------------
---
aaa new-model
!
aaa authentication login default group radius
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting commands 1 default start-stop group radius
aaa accounting commands 2 default start-stop group radius
aaa accounting commands 3 default start-stop group radius
aaa accounting commands 4 default start-stop group radius
aaa accounting commands 5 default start-stop group radius
aaa accounting commands 6 default start-stop group radius
aaa accounting commands 7 default start-stop group radius
aaa accounting commands 8 default start-stop group radius
aaa accounting commands 9 default start-stop group radius
aaa accounting commands 10 default start-stop group radius
aaa accounting commands 11 default start-stop group radius
aaa accounting commands 12 default start-stop group radius
aaa accounting commands 13 default start-stop group radius
aaa accounting commands 14 default start-stop group radius
aaa accounting commands 15 default start-stop group radius
aaa session-id common
enable secret *** SECRET PASSWORD ***
!
username *** LOCAL USERNAME*** password *** LOCAL PASSWORD ***
!
radius-server host *** RADIUS SERVER IP ADDRESS*** auth-port 1645
acct-port 1646
radius-server retransmit 3
radius-server key *** RADIUS KEY ***
!
line con 0
line aux 0
line vty 0 4
!
end
2. Radius usersdb
----------------------------------------------------------------------------
---
*** MY USERNAME *** Encrypted-Password = "*** MY ENCRIPTED PASSWORD
***"
Service-Type = NAS-Prompt-User,
cisco-avpair = shell:priv-lvl=15
3. Debug radius - Telnet access (got privilege level 15):
----------------------------------------------------------------------------
---
RADIUS/ENCODE(00000016): ask "Username: "
RADIUS/ENCODE(00000016): send packet; GET_USER
RADIUS/ENCODE(00000016): ask "Password: "
RADIUS/ENCODE(00000016): send packet; GET_PASSWORD
RADIUS: AAA Unsupported [142] 4
RADIUS: 74 74 [tt]
RADIUS: Pick NAS IP for uid=22 tableid=0 cfg_addr=0.0.0.0 best_addr=***
ROUTER IP ADDRESS ***
RADIUS/ENCODE(00000016): acct_session_id: 41
RADIUS(00000016): sending
RADIUS(00000016): Send to unknown id 21645/77 *** RADIUS SERVER IP
ADDRESS ***:1645, Access-Request, len 78
RADIUS: authenticator 2B 89 1B D4 73 16 55 71 - 9B DB 35 6E 55 0B 78 A5
RADIUS: User-Name [1] 7 "*** MY USERNAME ***"
RADIUS: User-Password [2] 18 *
RADIUS: NAS-Port [5] 6 6
RADIUS: NAS-Port-Type [61] 6 Virtual [5]
RADIUS: Calling-Station-Id [31] 15 "*** MY PC's IP ADDRESS ***"
RADIUS: NAS-IP-Address [4] 6 *** ROUTER IP ADDRESS ***
RADIUS: Received from id 21645/77 *** RADIUS SERVER IP ADDRESS ***:1645,
Access-Accept, len 51
RADIUS: authenticator 89 A8 F3 73 2A 89 6E B4 - 7F 7C 30 89 02 20 12 4D
RADIUS: Service-Type [6] 6 NAS Prompt [7]
RADIUS: Vendor, Cisco [26] 25
RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"
RADIUS(00000016): Received from id 21645/77
RADIUS: Pick NAS IP for uid=22 tableid=0 cfg_addr=0.0.0.0 best_addr=***
ROUTER IP ADDRESS ***
4. Debug radius - Console access (got privilege level 1):
----------------------------------------------------------------------------
---
RADIUS/ENCODE(00000015): ask "Username: "
RADIUS/ENCODE(00000015): send packet; GET_USER
RADIUS/ENCODE(00000015): ask "Password: "
RADIUS/ENCODE(00000015): send packet; GET_PASSWORD
RADIUS: AAA Unsupported [142] 4
RADIUS: 74 74 [tt]
RADIUS: Pick NAS IP for uid=21 tableid=0 cfg_addr=0.0.0.0 best_addr=***
ROUTER IP ADDRESS ***
RADIUS/ENCODE(00000015): acct_session_id: 40
RADIUS(00000015): sending
RADIUS(00000015): Send to unknown id 21645/74 *** RADIUS SERVER IP
ADDRESS ***:1645, Access-Request, len 70
RADIUS: authenticator E8 E1 D9 04 B1 C1 C4 39 - 0D C3 55 D5 77 8B 6A 6F
RADIUS: User-Name [1] 7 "*** MY USERNAME ***"
RADIUS: User-Password [2] 18 *
RADIUS: NAS-Port [5] 6 0
RADIUS: NAS-Port-Type [61] 6 Async [0]
RADIUS: Calling-Station-Id [31] 7 "async"
RADIUS: NAS-IP-Address [4] 6 *** ROUTER IP ADDRESS ***
RADIUS: Received from id 21645/74 *** RADIUS SERVER IP ADDRESS ***:1645,
Access-Accept, len 51
RADIUS: authenticator B7 C9 7B 36 4D BC 0A 74 - 38 AE 18 71 0C E9 5B C5
RADIUS: Service-Type [6] 6 NAS Prompt [7]
RADIUS: Vendor, Cisco [26] 25
RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"
RADIUS(00000015): Received from id 21645/74
RADIUS: Pick NAS IP for uid=21 tableid=0 cfg_addr=0.0.0.0 best_addr=***
ROUTER IP ADDRESS ***
Any ideas?
Thanks in Advance
Telmo Oliveira
CCNP - CCDP
Portugal
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list