Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14420
Views
10
Helpful
1
Replies

Radius Authentication trouble (shell:priv-lvl=15)

Nathan Mellendorf
Level 1
Level 1

‎06-20-2014 08:52 PM - edited ‎03-04-2019 11:11 PM

Hello all!

I'm trying to configure Radius authentication for quite a few of my end devices, but I'm having some trouble. Authentication with my Radius server is working, but my log in privilege level doesn't seem to work as intended.

To keep it simple and sweet, I can provide my config and debug output.

I'm not quite sure what's happening here, but I have two users who should have different log in authorization levels. ng_natem should have lvl 15, and ng_support should have lvl 1. Each user is apart of a separate group within my Radius server, and I see that in the debug output.

The problem, is that both users login directly to enable mode. I'd like them to login to their respective privilege level.

Could someone review my output, and see where I've gone astray?

Any input is very much appreciated! Thanks in advance,

 

 

!
aaa new-model
!
!
aaa group server radius echo
 server name echo
!
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa accounting system default start-stop group radius
!
!

Omitted

line vty 0 4
 session-timeout 60
 access-class 98 in
 exec-timeout 15 0
 session-disconnect-warning 1000
 logging synchronous level 4
 refuse-message ^C
You're not allowed
^C
 transport input telnet ssh
line vty 5 15
 transport input none
!

 

vpn#
048207: Jun 20 22:46:21.164 CST: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.9.8.20 (tty = 1) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
vpn#
048208: Jun 20 22:46:30.148 CST: RADIUS/ENCODE(00000348): ask "Password: "
048209: Jun 20 22:46:30.148 CST: RADIUS/ENCODE(00000348): send packet; GET_PASSWORD
vpn#
048210: Jun 20 22:46:34.468 CST: RADIUS/ENCODE(00000348):Orig. component type = Exec
048211: Jun 20 22:46:34.468 CST: RADIUS/ENCODE(00000348): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
048212: Jun 20 22:46:34.468 CST: RADIUS(00000348): Config NAS IP: 10.9.8.2
048213: Jun 20 22:46:34.468 CST: RADIUS(00000348): Config NAS IPv6: ::
048214: Jun 20 22:46:34.468 CST: RADIUS/ENCODE(00000348): acct_session_id: 830
048215: Jun 20 22:46:34.468 CST: RADIUS(00000348): sending
048216: Jun 20 22:46:34.468 CST: RADIUS: Long password processing
048217: Jun 20 22:46:34.468 CST: RADIUS(00000348): Send Access-Request to 10.9.8.20:1645 id 1645/181, len 88
048218: Jun 20 22:46:34.468 CST: RADIUS:  authenticator 14 E7 99 0E 59 EA DF 53 - FA 09 12 F6 D6 CE D4 7F
048219: Jun 20 22:46:34.468 CST: RADIUS:  User-Name           [1]   10  "ng_natem"
048220: Jun 20 22:46:34.468 CST: RADIUS:  User-Password       [2]   34  *
048221: Jun 20 22:46:34.468 CST: RADIUS:  NAS-Port            [5]   6   9
048222: Jun 20 22:46:34.468 CST: RADIUS:  NAS-Port-Id         [87]  6   "tty9"
048223: Jun 20 22:46:34.468 CST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
048224: Jun 20 22:46:34.468 CST: RADIUS:  NAS-IP-Address      [4]   6   10.9.8.2
048225: Jun 20 22:46:34.468 CST: RADIUS(00000348): Sending a IPv4 Radius Packet
048226: Jun 20 22:46:34.468 CST: RADIUS(00000348): Started 5 sec timeout
048227: Jun 20 22:46:34.484 CST: RADIUS: Received from id 1645/181 10.9.8.20:1645, Access-Accept, len 97
048228: Jun 20 22:46:34.484 CST: RADIUS:  authenticator 85 43 34 E4 87 AD 92 85 - 9C 37 AA 9A 55 D0 F7 60
048229: Jun 20 22:46:34.484 CST: RADIUS:  Service-Type        [6]   6   Administrative            [6]
048230: Jun 20 22:46:34.484 CST: RADIUS:  Class               [25]  46
vpn#
048231: Jun 20 22:46:34.484 CST: RADIUS:   84 50 07 50 00 00 01 37 00 01 02 00 0A 09 08 14 00 00 00 00 BD D9 BE 18 2E C6 4A 00 01 CF 8D 03 35 69 FA 41 00 00 00 00 00 00 00 02          [ PP7.J5iA]
048232: Jun 20 22:46:34.484 CST: RADIUS:  Vendor, Cisco       [26]  25
048233: Jun 20 22:46:34.484 CST: RADIUS:   Cisco AVpair       [1]   19  "shell:priv-lvl=15"
048234: Jun 20 22:46:34.488 CST: RADIUS(00000348): Received from id 1645/181
vpn#
048235: Jun 20 22:46:35.488 CST: %SSH-5-SSH2_USERAUTH: User 'ng_natem' authentication for SSH2 Session from 10.9.8.20 (tty = 1) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
vpn#
048236: Jun 20 22:46:51.988 CST: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.9.8.20 (tty = 1) for user 'ng_natem' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' closed
vpn#
048237: Jun 20 22:46:56.944 CST: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.9.8.20 (tty = 1) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
vpn#
048238: Jun 20 22:47:02.100 CST: RADIUS/ENCODE(00000349): ask "Password: "
048239: Jun 20 22:47:02.100 CST: RADIUS/ENCODE(00000349): send packet; GET_PASSWORD
vpn#
048240: Jun 20 22:47:04.912 CST: RADIUS/ENCODE(00000349):Orig. component type = Exec
048241: Jun 20 22:47:04.912 CST: RADIUS/ENCODE(00000349): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
048242: Jun 20 22:47:04.912 CST: RADIUS(00000349): Config NAS IP: 10.9.8.2
048243: Jun 20 22:47:04.912 CST: RADIUS(00000349): Config NAS IPv6: ::
048244: Jun 20 22:47:04.912 CST: RADIUS/ENCODE(00000349): acct_session_id: 831
048245: Jun 20 22:47:04.912 CST: RADIUS(00000349): sending
048246: Jun 20 22:47:04.916 CST: RADIUS(00000349): Send Access-Request to 10.9.8.20:1645 id 1645/182, len 74
048247: Jun 20 22:47:04.916 CST: RADIUS:  authenticator D7 D4 89 BE 2B 51 35 80 - F6 6C A8 A1 99 5B 7B BE
048248: Jun 20 22:47:04.916 CST: RADIUS:  User-Name           [1]   12  "ng_support"
048249: Jun 20 22:47:04.916 CST: RADIUS:  User-Password       [2]   18  *
048250: Jun 20 22:47:04.916 CST: RADIUS:  NAS-Port            [5]   6   9
048251: Jun 20 22:47:04.916 CST: RADIUS:  NAS-Port-Id         [87]  6   "tty9"
048252: Jun 20 22:47:04.916 CST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
048253: Jun 20 22:47:04.916 CST: RADIUS:  NAS-IP-Address      [4]   6   10.9.8.2
048254: Jun 20 22:47:04.916 CST: RADIUS(00000349): Sending a IPv4 Radius Packet
048255: Jun 20 22:47:04.916 CST: RADIUS(00000349): Started 5 sec timeout
048256: Jun 20 22:47:04.916 CST: RADIUS: Received from id 1645/182 10.9.8.20:1645, Access-Accept, len 96
048257: Jun 20 22:47:04.920 CST: RADIUS:  authenticator E3 8D 64 01 69 F3 5B 55 - 8E 64 D9 EC FB F1 05 56
048258: Jun 20 22:47:04.920 CST: RADIUS:  Service-Type        [6]   6   Administrative            [6]
048259: Jun 20 22:47:04.920 CST: RADIUS:  Class               [25]  46
vpn#
048260: Jun 20 22:47:04.920 CST: RADIUS:   84 51 07 51 00 00 01 37 00 01 02 00 0A 09 08 14 00 00 00 00 BD D9 BE 18 2E C6 4A 00 01 CF 8D 03 35 69 FA 41 00 00 00 00 00 00 00 03          [ QQ7.J5iA]
048261: Jun 20 22:47:04.920 CST: RADIUS:  Vendor, Cisco       [26]  24
048262: Jun 20 22:47:04.920 CST: RADIUS:   Cisco AVpair       [1]   18  "shell:priv-lvl=1"
048263: Jun 20 22:47:04.920 CST: RADIUS(00000349): Received from id 1645/182
048264: Jun 20 22:47:05.920 CST: %SSH-5-SSH2_USERAUTH: User 'ng_support' authentication for SSH2 Session from 10.9.8.20 (tty = 1) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
vpn#

 

Labels:
0 Helpful
1 Reply 1

Nathan Mellendorf
Level 1
Level 1

‎06-21-2014 05:05 PM

Figured it out!

 

For those who come after me, check this tutorial out:

http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/

 

My problem was related to both my IOS and RADIUS server config.

As soon as I followed that guide, all worked as I had intended.

 

Best of luck!,

- Nate Mellendorf

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card