07-20-2020 08:35 AM
Hello.
I am having so many issues with Radius, so before we have just has a single radisu server with freeradius. i have setup a FreeRadius server on pfsense and planing to make it redundant but im getting authentication issues
This is what we currently have
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting system default start-stop group radius
radius-server host *HIDDEN* auth-port 1812 acct-port 1813 key *HIDDEN*
radius-server retransmit 3
i can kind of login if i remove "aaa authorization exec default group radius if-authenticated" but i cant get to "enable"
so i know it connects to radius server and i can see the logs on there - any ideas on how to resolve this?
07-20-2020 08:54 AM
01:09:00: AAA: parse name=tty1 idb type=-1 tty=-1
01:09:00: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
01:09:00: AAA/MEMORY: create_user (0x80BB4A84) user='' ruser='' port='tty1' rem_addr='*HIDDEN*' authen_type=ASCII service=LOGIN priv=1
01:09:00: AAA/AUTHEN/START (3218174741): port='tty1' list='' action=LOGIN service=LOGIN
01:09:00: AAA/AUTHEN/START (3218174741): using "default" list
01:09:00: AAA/AUTHEN/START (3218174741): Method=radius (radius)
01:09:00: AAA/AUTHEN (3218174741): status = GETUSER
01:09:00: AAA/AUTHEN/CONT (3218174741): continue_login (user='(undef)')
01:09:00: AAA/AUTHEN (3218174741): status = GETUSER
01:09:00: AAA/AUTHEN (3218174741): Method=radius (radius)
01:09:00: AAA/AUTHEN (3218174741): status = GETPASS
01:09:00: AAA/AUTHEN/CONT (3218174741): continue_login (user='chris')
01:09:00: AAA/AUTHEN (3218174741): status = GETPASS
01:09:00: AAA/AUTHEN (3218174741): Method=radius (radius)
01:09:00: RADIUS: ustruct sharecount=1
01:09:00: RADIUS: Initial Transmit tty1 id 40 *HIDDEN*:1812, Access-Request, len 75
01:09:00: Attribute 4 6 0A090426
01:09:00: Attribute 5 6 00000001
01:09:00: Attribute 61 6 00000005
01:09:00: Attribute 1 7 63687269
01:09:00: Attribute 31 12 31302E39
01:09:00: Attribute 2 18 24EBE700
01:09:00: RADIUS: Received from id 40 *HIDDEN*:1812, Access-Accept, len 20
01:09:00: RADIUS: saved authorization data for user 80BB4A84 at 80D10B28
01:09:00: AAA/AUTHEN (3218174741): status = PASS
01:09:00: RADIUS: no appropriate authorization type for user.
01:09:02: AAA/MEMORY: free_user (0x80BB4A84) user='chris' ruser='' port='tty1' rem_addr='*HIDDEN*' authen_type=ASCII service=LOGIN priv=1
07-20-2020 09:17 AM
you getting error : user has privilege 15 ?
RADIUS: no appropriate authorization type for user.
07-20-2020 09:24 AM
Nope just
% Authorization failed.
07-20-2020 09:46 AM
what is the user privilege you trying to test , before i go look other look of your config log each line
07-20-2020 11:06 PM
doesnt give the option, but in the logs it does say priv=1
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: