I want to configure a number of 3550 switches to use Freeradius and to go directly to enable mode when logging on to the switch over SSH.
This is the config of my 3550:
aaa new-model
!
aaa authentication login default group radius enable
aaa authentication login login-list group radius enable
aaa authentication enable default group radius enable
aaa authorization exec exec-list group radius if-authenticated
!
enable secret 5 ******************
!
radius-server host 172.17.17.25 auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key my-radius-secret
radius-server vsa send authentication
!
line con 0
login authentication login-list
authorization exec exec-list
!
line vty 0 15
login authentication login-list
authorization exec exec-list
!
end
On freeradius, in /etc/raddb/clients.conf, I have the following configured:
client 172.17.255.6 {
secret = my-radius-secret
shortname = switch-name
nastype = cisco
}
And in /etc/raddb/users:
username Auth-Type := Local, User-Password == "user-password"
cisco-avpair = "shell:priv-lvl=15"
What happens is: when I log on, the radius server reports an "access-accept" but the switch displays "%authorization failed"
I think this may be an IOS-version related problem because I managed to make this work on a 3640 router with IOS 12.3 something. The 3550s have 12.1(19)EA1