Configured a cisco 2960 switch to use TekRadius as radius server for authentication and authorization. Authentication part was ok, but could not let user directly get into enable mode although in TekRadius priv-lvl=15 has been set:
Step1: Cisco 2960 Configuration
On Cisco 2960s, configuration:
aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa authorization exec default group radius local
radius-server host 10.9.200.14 auth-port 1812 acct-port 1646 key cisco
Step2: TekRADIUS LT Server Configuration
On TekRadius Server add three Attributes:
Attribute Type Value
UserPassword check Password
cisco-avpair reply shell:priv-lvl=15
Service-Type reply NAS-Prompt
- User-Password , Check Type, Value is the user password
- Cisco-avpair, Success Reply Type, Value is shell:priv-lvl=15
- Service-Type, Success Reply Type, Value is NAS-Prompt
Step 3 Troubleshooting:
enable debug on Cisco Switch 2960s
debug aaa authenticationdebug aaa authorizationdebug radius
*Jan 6 01:41:42.421: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.9.200.14(58485) -> 0.0.0.0(22), 1 packet
*Jan 6 01:41:42.652: AAA/BIND(00000073): Bind i/f
*Jan 6 01:41:42.652: AAA/AUTHEN/LOGIN (00000073): Pick method list ‘default’
*Jan 6 01:41:42.652: RADIUS/ENCODE(00000073): ask “Password: “
*Jan 6 01:41:42.652: RADIUS/ENCODE(00000073):Orig. component type = EXEC
*Jan 6 01:41:42.652: RADIUS/ENCODE(00000073): dropping service type, “radius-server attribute 6 on-for-login-auth” is off
*Jan 6 01:41:42.652: RADIUS(00000073): Config NAS IP: 0.0.0.0
*Jan 6 01:41:42.652: RADIUS/ENCODE(00000073): acct_session_id: 804
*Jan 6 01:41:42.652: RADIUS(00000073): sending
*Jan 6 01:41:42.657: RADIUS/ENCODE: Best Local IP-Address 10.9.200.11 for Radius-Server 10.9.200.14
*Jan 6 01:41:42.657: RADIUS(00000073): Send Access-Request to 10.9.200.14:1812 id 1645/6, len 94
*Jan 6 01:41:42.657: RADIUS: authenticator D0 DC 3F 5D 42 8B 88 B4 – 8F 6F C1 A4 57 3B 03 5A
*Jan 6 01:41:42.657: RADIUS: User-Name [1] 6 “john”
*Jan 6 01:41:42.657: RADIUS: Reply-Message [18] 12
*Jan 6 01:41:42.657: RADIUS: 50 61 73 73 77 6F 72 64 3A 20 [ Password: ]
*Jan 6 01:41:42.657: RADIUS: User-Password [2] 18 *
*Jan 6 01:41:42.657: RADIUS: NAS-Port [5] 6 2
*Jan 6 01:41:42.657: RADIUS: NAS-Port-Id [87] 6 “tty2”
*Jan 6 01:41:42.657: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jan 6 01:41:42.657: RADIUS: Calling-Station-Id [31] 14 “10.9.200.14”
*Jan 6 01:41:42.657: RADIUS: NAS-IP-Address [4] 6 10.9.200.11
*Jan 6 01:41:42.657: RADIUS(00000073): Started 5 sec timeout
*Jan 6 01:41:42.678: RADIUS: Received from id 1645/6 10.9.200.14:1812, Access-Accept, len 51
*Jan 6 01:41:42.683: RADIUS: authenticator 13 17 D3 26 DD 33 00 94 – 5B 16 E5 9B EA 5F F4 94
*Jan 6 01:41:42.683: RADIUS: Vendor, Cisco [26] 25
*Jan 6 01:41:42.683: RADIUS: Cisco AVpair [1] 19 “shell:priv-lvl=15”
GDCM-CSWP2003#
*Jan 6 01:41:42.683: RADIUS: Service-Type [6] 6 NAS Prompt [7]
*Jan 6 01:41:42.683: RADIUS(00000073): Received from id 1645/6
*Jan 6 01:41:42.709: AAA/AUTHOR (00000073): Method list id=0 not configured. Skip author
Step 4: Solution
after a quick search , found there is authorization command missing:
line vty 0 4authorization exec AUTH
and
aaa authorization exec default group radius
after put those commands in, it works great now.
————————————
(config)#
*Jan 6 01:46:48.002: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.9.200.14(58484) -> 0.0.0.0(22), 1 packet
*Jan 6 01:46:48.002: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.9.200.14(58485) -> 0.0.0.0(22), 1 packet
GDCM-CSWP2003(config)#
*Jan 6 01:46:54.745: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.9.200.14(58488) -> 0.0.0.0(22), 1 packet
*Jan 6 01:46:54.986: AAA/BIND(00000074): Bind i/f
*Jan 6 01:46:54.986: AAA/AUTHEN/LOGIN (00000074): Pick method list ‘default’
*Jan 6 01:46:54.986: RADIUS/ENCODE(00000074): ask “Password: “
*Jan 6 01:46:54.986: RADIUS/ENCODE(00000074):Orig. component type = EXEC
*Jan 6 01:46:54.986: RADIUS/ENCODE(00000074): dropping service type, “radius-server attribute 6 on-for-login-auth” is off
*Jan 6 01:46:54.986: RADIUS(00000074): Config NAS IP: 0.0.0.0
*Jan 6 01:46:54.986: RADIUS/ENCODE(00000074): acct_session_id: 811
*Jan 6 01:46:54.986: RADIUS(00000074): sending
*Jan 6 01:46:54.986: RADIUS/ENCODE: Best Local IP-Address 10.9.200.11 for Radius-Server 10.9.200.14
*Jan 6 01:46:54.986: RADIUS(00000074): Send Access-Request to 10.9.200.14:1812 id 1645/7, len 94
*Jan 6 01:46:54.986: RADIUS: authenticator EF 99 98 AD D5 BC BA E7 – 86 24 59 93 C3 B3 FF 3A
*Jan 6 01:46:54.986: RADIUS: User-Name [1] 6 “john”
*Jan 6 01:46:54.986: RADIUS: Reply-Message [18] 12
*Jan 6 01:46:54.986: RADIUS: 50 61 73 73 77 6F 72 64 3A 20 [ Password: ]
*Jan 6 01:46:54.986: RADIUS: User-Password [2] 18 *
*Jan 6 01:46:54.986: RADIUS: NAS-Port [5] 6 2
*Jan 6 01:46:54.991: RADIUS: NAS-Port-Id [87] 6 “tty2”
*Jan 6 01:46:54.991: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jan 6 01:46:54.991: RADIUS: Calling-Station-Id [31] 14 “10.9.200.14”
*Jan 6 01:46:54.991: RADIUS: NAS-IP-Address [4] 6 10.9.200.11
*Jan 6 01:46:54.991: RADIUS(00000074): Started 5 sec timeout
*Jan 6 01:46:55.002: RADIUS: Received from id 1645/7 10.9.200.14:1812, Access-Accept, len 51
*Jan 6 01:46:55.002: RADIUS: authenticator 64 86 20 C2 B9 D4 32 24 – D8 24 1C 41 64 85 BF 20
*Jan 6 01:46:55.002: RADIUS: Vendor, Cisco [26] 25
*Jan 6 01:46:55.002: RADIUS: Cisco AVpair [1] 19 “shell:priv-lvl=15”
GDCM-CSWP2003(config)#
*Jan 6 01:46:55.002: RADIUS: Service-Type [6] 6 NAS Prompt [7]
*Jan 6 01:46:55.002: RADIUS(00000074): Received from id 1645/7
*Jan 6 01:46:55.028: AAA/AUTHOR/EXEC(00000074): processing AV priv-lvl=15
*Jan 6 01:46:55.028: AAA/AUTHOR/EXEC(00000074): processing AV service-type=7
*Jan 6 01:46:55.028: AAA/AUTHOR/EXEC(00000074): Authorization successful