cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
833
Views
0
Helpful
1
Replies

Steel Belted Radius and Catalyst Switches

salleek
Level 1
Level 1

I have an older SBR appliance w/ version 5.43 and some Cisco Catalyst switches w/ 12.2.25 to 53 .  Trying to get authorization to work via Radius.  Basic config is:

aaa new-model

aaa group server radius RADIUS

server <ip> auth-port 1645 acct-port 1646

server <ip> auth-port 1645 acct-port 1646

!

aaa authentication login default group RADIUS local

aaa authentication login loginauth local

aaa authorization exec default group RADIUS if-authenticated

!

radius-server host <ip> auth-port 1645 acct-port 1646

radius-server host <ip> auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server timeout 2

radius-server key <snip>

Steel Belted is setup with a group that has:

cisco-AVPAIR shell:priv-lvl=15

cisco-AVPAIR Service-Type=login

When I try to login I get:

Username: kenny.sallee

Password:

% Authorization failed.

debug:

000860: 49w2d: tty2 AAA/AUTHOR/EXEC (3084441039): Port='tty2' list='' service=EXEC

000861: 49w2d: AAA/AUTHOR/EXEC: tty2 (3084441039) user='kenny.sallee'

000862: 49w2d: tty2 AAA/AUTHOR/EXEC (3084441039): send AV service=shell

000863: 49w2d: tty2 AAA/AUTHOR/EXEC (3084441039): send AV cmd*

000864: 49w2d: tty2 AAA/AUTHOR/EXEC (3084441039): found list "default"

000865: 49w2d: tty2 AAA/AUTHOR/EXEC (3084441039): Method=RADIUS (radius)

000866: 49w2d: AAA/AUTHOR (3084441039): Post authorization status = FAIL

000867: 49w2d: AAA/AUTHOR/EXEC: Authorization FAILED

LmUt-c3560-Tower-RM(config)#

000868: 49w2d: AAA/MEMORY: free_user (0x27000E8) user='kenny.sallee' ruser='NULL' port='tty2' rem_addr='1.2.250.219' authen_type=ASCII service=LOGIN priv=1

What I expect to happen is user gets authenticated at priviledge level 15 (and when I get this working - going to define priviledge level 1 users).  This works for some devices - but not others (seems to be older versions of code where it does not work)..

If I change this

aaa authorization exec default group RADIUS if-authenticated

to

aaa authorization exec default if-authenticated

I can at least get authorized via SSH/Telnet - however, all logins are w/ privi level 1 (vs 15 coming from the radius server)

Any pointers?

1 Reply 1