(RADIATOR) Cisco console privilege level

Hugh Irvine hugh at open.com.au
Mon Jul 14 21:37:14 CDT 2003 

Hello Telmo -

Thanks for your mail.

I think this is a Cisco issue, as the debug appears to show that radius  
is doing the same thing in both cases.

Perhaps it is not possible to control the console port in this way?

Check with your Cisco support person or the Cisco web site.

regards

Hugh


On Tuesday, Jul 15, 2003, at 00:40 Australia/Melbourne, OLIVEIRA Telmo  
Jose wrote:

> Hi.
>
> I want to set up an exec authentication and authorization system in my  
> cisco
> routers network using radiator. When a user logs in, he/she gets  
> privilege
> level 15. As last resort, it is used a locally stored  
> username/password.
>
> All works ok when i connect via telnet but when i try access throught  
> the
> console, i can't get privilege level 15, only privilege level 1... The  
> only
> way to get privileged access is to do a telnet to an IP in the same  
> router.
>
> Here's the info:
>
> 1. Router:
> ----------------------------------------------------------------------- 
> -----
> ---
>     aaa new-model
>     !
>     aaa authentication login default group radius
>     aaa authorization exec default group radius if-authenticated
>     aaa accounting exec default start-stop group radius
>     aaa accounting commands 1 default start-stop group radius
>     aaa accounting commands 2 default start-stop group radius
>     aaa accounting commands 3 default start-stop group radius
>     aaa accounting commands 4 default start-stop group radius
>     aaa accounting commands 5 default start-stop group radius
>     aaa accounting commands 6 default start-stop group radius
>     aaa accounting commands 7 default start-stop group radius
>     aaa accounting commands 8 default start-stop group radius
>     aaa accounting commands 9 default start-stop group radius
>     aaa accounting commands 10 default start-stop group radius
>     aaa accounting commands 11 default start-stop group radius
>     aaa accounting commands 12 default start-stop group radius
>     aaa accounting commands 13 default start-stop group radius
>     aaa accounting commands 14 default start-stop group radius
>     aaa accounting commands 15 default start-stop group radius
>     aaa session-id common
>     enable secret *** SECRET PASSWORD ***
>     !
>     username *** LOCAL USERNAME*** password *** LOCAL PASSWORD ***
>     !
>     radius-server host *** RADIUS SERVER IP ADDRESS*** auth-port 1645
> acct-port 1646
>     radius-server retransmit 3
>     radius-server key *** RADIUS KEY ***
>     !
>     line con 0
>     line aux 0
>     line vty 0 4
>     !
>     end
>
>
> 2. Radius usersdb
> ----------------------------------------------------------------------- 
> -----
> ---
>     *** MY USERNAME ***    Encrypted-Password = "*** MY ENCRIPTED  
> PASSWORD
> ***"
>
>             Service-Type = NAS-Prompt-User,
>             cisco-avpair = shell:priv-lvl=15
>
>
> 3. Debug radius - Telnet access (got privilege level 15):
> ----------------------------------------------------------------------- 
> -----
> ---
>     RADIUS/ENCODE(00000016): ask "Username: "
>     RADIUS/ENCODE(00000016): send packet; GET_USER
>     RADIUS/ENCODE(00000016): ask "Password: "
>     RADIUS/ENCODE(00000016): send packet; GET_PASSWORD
>     RADIUS:  AAA Unsupported     [142] 4
>     RADIUS:   74 74                                            [tt]
>     RADIUS: Pick NAS IP for uid=22 tableid=0 cfg_addr=0.0.0.0  
> best_addr=***
> ROUTER IP ADDRESS ***
>     RADIUS/ENCODE(00000016): acct_session_id: 41
>     RADIUS(00000016): sending
>     RADIUS(00000016): Send to unknown id 21645/77 *** RADIUS SERVER IP
> ADDRESS ***:1645, Access-Request, len 78
>     RADIUS:  authenticator 2B 89 1B D4 73 16 55 71 - 9B DB 35 6E 55 0B  
> 78 A5
>     RADIUS:  User-Name           [1]   7   "*** MY USERNAME ***"
>     RADIUS:  User-Password       [2]   18  *
>     RADIUS:  NAS-Port            [5]   6   6
>     RADIUS:  NAS-Port-Type       [61]  6   Virtual                    
> [5]
>     RADIUS:  Calling-Station-Id  [31]  15  "*** MY PC's IP ADDRESS ***"
>     RADIUS:  NAS-IP-Address      [4]   6   *** ROUTER IP ADDRESS ***
>     RADIUS: Received from id 21645/77 *** RADIUS SERVER IP ADDRESS  
> ***:1645,
> Access-Accept, len 51
>     RADIUS:  authenticator 89 A8 F3 73 2A 89 6E B4 - 7F 7C 30 89 02 20  
> 12 4D
>     RADIUS:  Service-Type        [6]   6   NAS Prompt                 
> [7]
>     RADIUS:  Vendor, Cisco       [26]  25
>     RADIUS:   Cisco AVpair       [1]   19  "shell:priv-lvl=15"
>     RADIUS(00000016): Received from id 21645/77
>     RADIUS: Pick NAS IP for uid=22 tableid=0 cfg_addr=0.0.0.0  
> best_addr=***
> ROUTER IP ADDRESS ***
>
> 4. Debug radius - Console access (got privilege level 1):
> ----------------------------------------------------------------------- 
> -----
> ---
>     RADIUS/ENCODE(00000015): ask "Username: "
>     RADIUS/ENCODE(00000015): send packet; GET_USER
>     RADIUS/ENCODE(00000015): ask "Password: "
>     RADIUS/ENCODE(00000015): send packet; GET_PASSWORD
>     RADIUS:  AAA Unsupported     [142] 4
>     RADIUS:   74 74                                            [tt]
>     RADIUS: Pick NAS IP for uid=21 tableid=0 cfg_addr=0.0.0.0  
> best_addr=***
> ROUTER IP ADDRESS ***
>     RADIUS/ENCODE(00000015): acct_session_id: 40
>     RADIUS(00000015): sending
>     RADIUS(00000015): Send to unknown id 21645/74 *** RADIUS SERVER IP
> ADDRESS ***:1645, Access-Request, len 70
>     RADIUS:  authenticator E8 E1 D9 04 B1 C1 C4 39 - 0D C3 55 D5 77 8B  
> 6A 6F
>     RADIUS:  User-Name           [1]   7   "*** MY USERNAME ***"
>     RADIUS:  User-Password       [2]   18  *
>     RADIUS:  NAS-Port            [5]   6   0
>     RADIUS:  NAS-Port-Type       [61]  6   Async                      
> [0]
>     RADIUS:  Calling-Station-Id  [31]  7   "async"
>     RADIUS:  NAS-IP-Address      [4]   6   *** ROUTER IP ADDRESS ***
>     RADIUS: Received from id 21645/74 *** RADIUS SERVER IP ADDRESS  
> ***:1645,
> Access-Accept, len 51
>     RADIUS:  authenticator B7 C9 7B 36 4D BC 0A 74 - 38 AE 18 71 0C E9  
> 5B C5
>     RADIUS:  Service-Type        [6]   6   NAS Prompt                 
> [7]
>     RADIUS:  Vendor, Cisco       [26]  25
>     RADIUS:   Cisco AVpair       [1]   19  "shell:priv-lvl=15"
>     RADIUS(00000015): Received from id 21645/74
>     RADIUS: Pick NAS IP for uid=21 tableid=0 cfg_addr=0.0.0.0  
> best_addr=***
> ROUTER IP ADDRESS ***
>
> Any ideas?
>
> Thanks in Advance
>
> Telmo Oliveira
> CCNP - CCDP
> Portugal
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.



NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list