Step1: Cisco 2960 Configuration
On Cisco 2960s, configuration:aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa authorization exec default group radius local
radius-server host 10.94.200.14 auth-port 1812 acct-port 1646 key cisco
Step2: TekRADIUS LT Server Configuration
On TekRadius Server add three Attributes:Attribute Type Value
UserPassword check Password
cisco-avpair reply shell:priv-lvl=15
Service-Type reply NAS-Prompt
- User-Password , Check Type, Value is the user password
- Cisco-avpair, Success Reply Type, Value is shell:priv-lvl=15
- Service-Type, Success Reply Type, Value is NAS-Prompt
Step 3 Troubleshooting:
enable debug on Cisco Switch 2960sdebug aaa authenticationdebug aaa authorizationdebug radius
*Jan 6 01:41:42.421: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.94.200.14(58485) -> 0.0.0.0(22), 1 packet
*Jan 6 01:41:42.652: AAA/BIND(00000073): Bind i/f
*Jan 6 01:41:42.652: AAA/AUTHEN/LOGIN (00000073): Pick method list 'default'
*Jan 6 01:41:42.652: RADIUS/ENCODE(00000073): ask "Password: "
*Jan 6 01:41:42.652: RADIUS/ENCODE(00000073):Orig. component type = EXEC
*Jan 6 01:41:42.652: RADIUS/ENCODE(00000073): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jan 6 01:41:42.652: RADIUS(00000073): Config NAS IP: 0.0.0.0
*Jan 6 01:41:42.652: RADIUS/ENCODE(00000073): acct_session_id: 804
*Jan 6 01:41:42.652: RADIUS(00000073): sending
*Jan 6 01:41:42.657: RADIUS/ENCODE: Best Local IP-Address 10.94.200.11 for Radius-Server 10.94.200.14
*Jan 6 01:41:42.657: RADIUS(00000073): Send Access-Request to 10.94.200.14:1812 id 1645/6, len 94
*Jan 6 01:41:42.657: RADIUS: authenticator D0 DC 3F 5D 42 8B 88 B4 - 8F 6F C1 A4 57 3B 03 5A
*Jan 6 01:41:42.657: RADIUS: User-Name [1] 6 "john"
*Jan 6 01:41:42.657: RADIUS: Reply-Message [18] 12
*Jan 6 01:41:42.657: RADIUS: 50 61 73 73 77 6F 72 64 3A 20 [ Password: ]
*Jan 6 01:41:42.657: RADIUS: User-Password [2] 18 *
*Jan 6 01:41:42.657: RADIUS: NAS-Port [5] 6 2
*Jan 6 01:41:42.657: RADIUS: NAS-Port-Id [87] 6 "tty2"
*Jan 6 01:41:42.657: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jan 6 01:41:42.657: RADIUS: Calling-Station-Id [31] 14 "10.94.200.14"
*Jan 6 01:41:42.657: RADIUS: NAS-IP-Address [4] 6 10.94.200.11
*Jan 6 01:41:42.657: RADIUS(00000073): Started 5 sec timeout
*Jan 6 01:41:42.678: RADIUS: Received from id 1645/6 10.94.200.14:1812, Access-Accept, len 51
*Jan 6 01:41:42.683: RADIUS: authenticator 13 17 D3 26 DD 33 00 94 - 5B 16 E5 9B EA 5F F4 94
*Jan 6 01:41:42.683: RADIUS: Vendor, Cisco [26] 25
*Jan 6 01:41:42.683: RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"
GDCM-CSWP2003#
*Jan 6 01:41:42.683: RADIUS: Service-Type [6] 6 NAS Prompt [7]
*Jan 6 01:41:42.683: RADIUS(00000073): Received from id 1645/6
*Jan 6 01:41:42.709: AAA/AUTHOR (00000073): Method list id=0 not configured. Skip author
Step 4: Solution
after a quick search , found there is authorization command missing:line vty 0 4authorization exec AUTHand
aaa authorization exec default group radius
after put those commands in, it works great now.
------------------------------------
(config)#
*Jan 6 01:46:48.002: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.94.200.14(58484) -> 0.0.0.0(22), 1 packet
*Jan 6 01:46:48.002: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.94.200.14(58485) -> 0.0.0.0(22), 1 packet
GDCM-CSWP2003(config)#
*Jan 6 01:46:54.745: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.94.200.14(58488) -> 0.0.0.0(22), 1 packet
*Jan 6 01:46:54.986: AAA/BIND(00000074): Bind i/f
*Jan 6 01:46:54.986: AAA/AUTHEN/LOGIN (00000074): Pick method list 'default'
*Jan 6 01:46:54.986: RADIUS/ENCODE(00000074): ask "Password: "
*Jan 6 01:46:54.986: RADIUS/ENCODE(00000074):Orig. component type = EXEC
*Jan 6 01:46:54.986: RADIUS/ENCODE(00000074): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jan 6 01:46:54.986: RADIUS(00000074): Config NAS IP: 0.0.0.0
*Jan 6 01:46:54.986: RADIUS/ENCODE(00000074): acct_session_id: 811
*Jan 6 01:46:54.986: RADIUS(00000074): sending
*Jan 6 01:46:54.986: RADIUS/ENCODE: Best Local IP-Address 10.94.200.11 for Radius-Server 10.94.200.14
*Jan 6 01:46:54.986: RADIUS(00000074): Send Access-Request to 10.94.200.14:1812 id 1645/7, len 94
*Jan 6 01:46:54.986: RADIUS: authenticator EF 99 98 AD D5 BC BA E7 - 86 24 59 93 C3 B3 FF 3A
*Jan 6 01:46:54.986: RADIUS: User-Name [1] 6 "john"
*Jan 6 01:46:54.986: RADIUS: Reply-Message [18] 12
*Jan 6 01:46:54.986: RADIUS: 50 61 73 73 77 6F 72 64 3A 20 [ Password: ]
*Jan 6 01:46:54.986: RADIUS: User-Password [2] 18 *
*Jan 6 01:46:54.986: RADIUS: NAS-Port [5] 6 2
*Jan 6 01:46:54.991: RADIUS: NAS-Port-Id [87] 6 "tty2"
*Jan 6 01:46:54.991: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jan 6 01:46:54.991: RADIUS: Calling-Station-Id [31] 14 "10.94.200.14"
*Jan 6 01:46:54.991: RADIUS: NAS-IP-Address [4] 6 10.94.200.11
*Jan 6 01:46:54.991: RADIUS(00000074): Started 5 sec timeout
*Jan 6 01:46:55.002: RADIUS: Received from id 1645/7 10.94.200.14:1812, Access-Accept, len 51
*Jan 6 01:46:55.002: RADIUS: authenticator 64 86 20 C2 B9 D4 32 24 - D8 24 1C 41 64 85 BF 20
*Jan 6 01:46:55.002: RADIUS: Vendor, Cisco [26] 25
*Jan 6 01:46:55.002: RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"
GDCM-CSWP2003(config)#
*Jan 6 01:46:55.002: RADIUS: Service-Type [6] 6 NAS Prompt [7]
*Jan 6 01:46:55.002: RADIUS(00000074): Received from id 1645/7
*Jan 6 01:46:55.028: AAA/AUTHOR/EXEC(00000074): processing AV priv-lvl=15
*Jan 6 01:46:55.028: AAA/AUTHOR/EXEC(00000074): processing AV service-type=7
*Jan 6 01:46:55.028: AAA/AUTHOR/EXEC(00000074): Authorization successful
No comments:
Post a Comment