cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
736
Views
0
Helpful
5
Replies

Radius Authentication

CobbyJ
Level 1
Level 1

Hello.

 

I am having so many issues with Radius, so before we have just has a single radisu server with freeradius. i have setup a FreeRadius server on pfsense and planing to make it redundant but im getting authentication issues

 

This is what we currently have

 

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting system default start-stop group radius
radius-server host *HIDDEN* auth-port 1812 acct-port 1813 key *HIDDEN*
radius-server retransmit 3

 

i can kind of login if i remove "aaa authorization exec default group radius if-authenticated" but i cant get to "enable"

 

so i know it connects to radius server and i can see the logs on there - any ideas on how to resolve this?

 

5 Replies 5

CobbyJ
Level 1
Level 1

01:09:00: AAA: parse name=tty1 idb type=-1 tty=-1
01:09:00: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
01:09:00: AAA/MEMORY: create_user (0x80BB4A84) user='' ruser='' port='tty1' rem_addr='*HIDDEN*' authen_type=ASCII service=LOGIN priv=1
01:09:00: AAA/AUTHEN/START (3218174741): port='tty1' list='' action=LOGIN service=LOGIN
01:09:00: AAA/AUTHEN/START (3218174741): using "default" list
01:09:00: AAA/AUTHEN/START (3218174741): Method=radius (radius)
01:09:00: AAA/AUTHEN (3218174741): status = GETUSER
01:09:00: AAA/AUTHEN/CONT (3218174741): continue_login (user='(undef)')
01:09:00: AAA/AUTHEN (3218174741): status = GETUSER
01:09:00: AAA/AUTHEN (3218174741): Method=radius (radius)
01:09:00: AAA/AUTHEN (3218174741): status = GETPASS
01:09:00: AAA/AUTHEN/CONT (3218174741): continue_login (user='chris')
01:09:00: AAA/AUTHEN (3218174741): status = GETPASS
01:09:00: AAA/AUTHEN (3218174741): Method=radius (radius)
01:09:00: RADIUS: ustruct sharecount=1
01:09:00: RADIUS: Initial Transmit tty1 id 40 *HIDDEN*:1812, Access-Request, len 75
01:09:00: Attribute 4 6 0A090426
01:09:00: Attribute 5 6 00000001
01:09:00: Attribute 61 6 00000005
01:09:00: Attribute 1 7 63687269
01:09:00: Attribute 31 12 31302E39
01:09:00: Attribute 2 18 24EBE700
01:09:00: RADIUS: Received from id 40 *HIDDEN*:1812, Access-Accept, len 20
01:09:00: RADIUS: saved authorization data for user 80BB4A84 at 80D10B28
01:09:00: AAA/AUTHEN (3218174741): status = PASS
01:09:00: RADIUS: no appropriate authorization type for user.
01:09:02: AAA/MEMORY: free_user (0x80BB4A84) user='chris' ruser='' port='tty1' rem_addr='*HIDDEN*' authen_type=ASCII service=LOGIN priv=1

you getting error : user has privilege 15 ?

 

RADIUS: no appropriate authorization type for user.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Nope just

 

% Authorization failed.

what is the user privilege you trying to test , before i go look other look of your config log each line

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

doesnt give the option, but in the logs it does say priv=1

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: