Go straight to enable mode with Freeradius

slaterc · ‎07-15-2004

I want to configure a number of 3550 switches to use Freeradius and to go directly to enable mode when logging on to the switch over SSH.

This is the config of my 3550:

aaa new-model

!

aaa authentication login default group radius enable

aaa authentication login login-list group radius enable

aaa authentication enable default group radius enable

aaa authorization exec exec-list group radius if-authenticated

!

enable secret 5 ******************

!

radius-server host 172.17.17.25 auth-port 1812 acct-port 1813

radius-server retransmit 3

radius-server key my-radius-secret

radius-server vsa send authentication

!

line con 0

login authentication login-list

authorization exec exec-list

!

line vty 0 15

login authentication login-list

authorization exec exec-list

!

end

On freeradius, in /etc/raddb/clients.conf, I have the following configured:

client 172.17.255.6 {

secret = my-radius-secret

shortname = switch-name

nastype = cisco

}

And in /etc/raddb/users:

username Auth-Type := Local, User-Password == "user-password"

cisco-avpair = "shell:priv-lvl=15"

What happens is: when I log on, the radius server reports an "access-accept" but the switch displays "%authorization failed"

I think this may be an IOS-version related problem because I managed to make this work on a 3640 router with IOS 12.3 something. The 3550s have 12.1(19)EA1

slaterc · ‎07-20-2004

Well I solved it myself (if anyone's interested):

For IOS up to 12.2, you need this in each user entry in /etc/raddb/users:

username ..........

Service-Type = Framed-User

..........

It seems you *don't* need this in 12.3, at least that's what my testing shows.