We recently updated the Firmware on our RV340W from 1.0.01.18 to 1.0.03.15.
Ever since we cannot verify our VPN (or WebUI) users using the RADIUS server. It seems to authenticate with the RADIUS server ok, but the the router fails to allow access.
Anything we could be missing?
Thanks in advance,
A little further information - from the Logs, The RADIUS authentication is working, but then for some reason it is feeling the need to authenticate with the localDB too:
2019-Jul-11, 12:25:09 UTC error user jsonrpc: Last message 'User peter login fai' repeated 1 times, supressed by syslog-ng on router4506C2
2019-Jul-11, 12:24:54 UTC info system <Email Sent about failure>
2019-Jul-11, 12:24:54 UTC error user jsonrpc: User peter login fail from 192.168.0.146
2019-Jul-11, 12:24:54 UTC error user weblogin: Localdb:authorization failed as group is NULL
2019-Jul-11, 12:24:54 UTC info user weblogin: pam_radius_auth: User peter authentication succeeded
Any ideas please?
Following input from Cisco Support, the RADIUS Server client needs to return an additional Attribute 'Class', the value of which needs to correspond to a User Group defined in the Router UI.
This caused a further headache for us because our RADIUS Server doesn't support sending attributes back. We have had to use Windows Servers' built in RADIUS Server to forward the request on to our existing provider and append the relevant attribute to the reply.
I have to say this - please can this stuff be documented somewhere?! We've lost countless hours to this - as have Cisco support having to reproduce and get us the answer.
I have the same issue . Can you please share your conf where you and how you add that Class ? Thank you.
Hi we found how to fix that issue
First we need to in the groups in cisco then you need to create group lets say with name readonlygroup and on this group we need to select permition lets say readonly with login or whatever .
Then we need to go in users in radius and settings shoud be that
Userreadonly Cleartext-Password := "passreadonly"
Service-Type = NAS-Prompt-User,
Class = readonlygroup,
Cisco-AVPair = "shell:roles=network-admin vdc-admin vdc-operator"
Most important settin is Class = readonlygroup, that class say in which group user shoud be assing
If your group in cisco is with name GROUPEXAMPLE you need to change Class = GROUPEXAMPLE