Trying to setup RADIUS for shell/exec authentication on IOS-XR 9001 router running 5.3.2. Configured our FreeRADIUS server to pass back a second optional cisco-avpair attribute with full privilege shell:task*#root-system,#cisco-support in addition to the normal shell:priv-lvl=15 we send to IOS devices.
I am able to successfully authenticate and I believe the RADIUS server is returning the correct cisco-avpair strings however RADIUS debugs on XR indicate that neither cisco-avpair line is parsed/processed properly so I am not given the appropriate authorization level.
RP/0/RSP0/CPU0:Mar 14 14:58:20.728 CDT: radiusd[1130]: RADIUS: Received from id 23 [IP]:[Port], Access-Accept, len 132
RP/0/RSP0/CPU0:Mar 14 14:58:20.728 CDT: radiusd[1130]: RADIUS: authenticator 43 7A A2 B0 09 27 62 B3 - D5 5B 5D B2 19 23 2B 39
RP/0/RSP0/CPU0:Mar 14 14:58:20.728 CDT: radiusd[1130]: RADIUS: Service-Type [6] 6 NAS Prompt[0]
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: RADIUS: Reply-Message [18] 35 47 72 65 65 74 69 6e 67 73 20 4c 69 67 68 74 45
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: RADIUS: 64 67 65 20 41 64 6d 69 6e 69 73 74 72 61 74 6f
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: RADIUS: 72
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: RADIUS: Vendor,Cisco [26] 25
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: RADIUS: Cisco AVpair [1] 19 shell:priv-lvl=15
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: RADIUS: Vendor,Cisco [26] 46
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: RADIUS: Cisco AVpair [1] 40 shell:task*#root-system,#cisco-support
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: Freeing server group transaction_id (FA000013)
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: pack_length = 132 radius_len = 132
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: Calling app inf callback
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: IETF attr 6 6 1: 7
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: Choosing 'shell' proto for service login
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: IETF attr 18 35 0: 47726565
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: Choosing 'shell' proto for service login
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: Bad attr (radius_net_author: unsupported): type=Reply-Message len=35
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: VSA attr 26 25 -1: 9
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: Choosing 'shell' proto for service login
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: buffer [shell:priv-lvl=15] len 17 ret value 2
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: protocol_type_ord [shell:priv-lvl] separator [=] char_read_so_far 15
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: protocol [shell] colon[:] type_ord priv-lvl ret 3
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: VSA attr 26 46 -1: 9
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: Choosing 'shell' proto for service login
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: buffer [shell:task*#root-system,#cisco-support] len 38 ret value 2
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: protocol_type_ord [shell:task] separator [*] char_read_so_far 11
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: protocol [shell] colon[:] type_ord task ret 3
RP/0/RSP0/CPU0:Mar 14 14:58:20.729 CDT: radiusd[1130]: Type field missing in the attr ,Ignoring the Attribute shell:task*#root-system,#cisco-support
RP/0/RSP0/CPU0:Mar 14 14:58:20.730 CDT: radiusd[1130]: No appropriate authorization type for user
Can anyone tell me what I'm doing wrong here?
relevant ASR config:
radius-server vsa attribute ignore unknown
radius-server key 7 [key]
radius-server timeout 5
aaa group server radius radius-vty
server-private [IP] auth-port 2812 acct-port 2813
server-private [IP] auth-port 2812 acct-port 2813
source-interface Loopback5
aaa authentication login default local group radius-vty
aaa authorization exec default local group radius-vty
-Jarred
