Mailing List Archive

[nsp] Merit Radius and Cisco authorization
We are unable to get the Merit Radius to work properly with Cisco
authorization. Authentication works ok but authorization doesn't work:
seven Password = "eight"
Service-Type = Shell-User
Cisco-Avpair = shell:priv-lvl=15

Can someone send a working Merit Radius server config and the Cisco
commands you use for authorization:
aaa authorization exec default radius if-authenticated

Thanks,
Hank
RE: [nsp] Merit Radius and Cisco authorization [ In reply to ]
Hi Hank,

On my Merit RADIUS it is :

Cisco:Cisco-Avpair = "shell:priv-lvl=15"

..and don't forget the comma after the second line.

If you debug the RADIUS you can see if it is happy with your Cisco AV-pair attribute or if it is "tossing" it.

Regards,

Richard




> -----Original Message-----
> From: Hank Nussbacher [SMTP:hank@att.net.il]
> Sent: Tuesday, July 23, 2002 8:43 AM
> To: cisco-nsp@puck.nether.net
> Subject: [nsp] Merit Radius and Cisco authorization
>
> We are unable to get the Merit Radius to work properly with Cisco
> authorization. Authentication works ok but authorization doesn't work:
> seven Password = "eight"
> Service-Type = Shell-User
> Cisco-Avpair = shell:priv-lvl=15
>
> Can someone send a working Merit Radius server config and the Cisco
> commands you use for authorization:
> aaa authorization exec default radius if-authenticated
>
> Thanks,
> Hank
>
> _______________________________________________
> cisco-nsp mailing list
> cisco-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp


**********************************************************************
This message may contain information which is confidential or privileged.
If you are not the intended recipient, please advise the sender immediately
by reply e-mail and delete this message and any attachments
without retaining a copy.

**********************************************************************
RE: [nsp] Merit Radius and Cisco authorization [ In reply to ]
At 09:09 AM 23-07-02 +0100, you wrote:
>Hi Hank,
>
>On my Merit RADIUS it is :
>
> Cisco:Cisco-Avpair = "shell:priv-lvl=15"
>
> ..and don't forget the comma after the second line.

Huh? Care to explain?

Looking at http://www.merit.edu/michnet/dial-in/aaa/faq.html#usrvsa and the
code we downloaded is 3.6B then we need to apply the patch. Where did you
get your version from?

-Hank


> If you debug the RADIUS you can see if it is happy with your
> Cisco AV-pair attribute or if it is "tossing" it.
>
> Regards,
>
> Richard
>
>
>
>
> > -----Original Message-----
> > From: Hank Nussbacher [SMTP:hank@att.net.il]
> > Sent: Tuesday, July 23, 2002 8:43 AM
> > To: cisco-nsp@puck.nether.net
> > Subject: [nsp] Merit Radius and Cisco authorization
> >
> > We are unable to get the Merit Radius to work properly with Cisco
> > authorization. Authentication works ok but authorization doesn't work:
> > seven Password = "eight"
> > Service-Type = Shell-User
> > Cisco-Avpair = shell:priv-lvl=15
> >
> > Can someone send a working Merit Radius server config and the Cisco
> > commands you use for authorization:
> > aaa authorization exec default radius if-authenticated
> >
> > Thanks,
> > Hank
> >
> > _______________________________________________
> > cisco-nsp mailing list
> > cisco-nsp@puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-nsp
>
>
>**********************************************************************
>This message may contain information which is confidential or privileged.
>If you are not the intended recipient, please advise the sender immediately
>by reply e-mail and delete this message and any attachments
>without retaining a copy.
>
>**********************************************************************
RE: [nsp] Merit Radius and Cisco authorization [ In reply to ]
Hi Hank,

Did you note the different syntax for the VSA attribute... Cisco: before the attribute?

Both my versions are 3.6B, one is a NetBSD precompiled binary (no longer available I think, they've moved to cistron) and the other is a Solaris 2.6 freeware precompiled binary.

Both use this syntax. It is described in the dictionary files. Both work.

I don't have time to check - these are only lab RADIUSs - but it does work fine. Also for Cosine, other vendors etc.. I helped one of my colleagues configure exactly what you are doing a couple of days ago.

Not sure why you reference a bugfix for USR (US Robotics = 3Com) VSAs when you are using Cisco kit. Have you found this applies to Cisco VSAs too?

Of course I have precompiled binaries - looks like you are compiling so YMMV.

Regards,

Richard

> -----Original Message-----
> From: Hank Nussbacher [SMTP:hank@att.net.il]
> Sent: Tuesday, July 23, 2002 9:27 AM
> To: Lewis, Richard
> Cc: cisco-nsp@puck.nether.net
> Subject: RE: [nsp] Merit Radius and Cisco authorization
>
> At 09:09 AM 23-07-02 +0100, you wrote:
> >Hi Hank,
> >
> >On my Merit RADIUS it is :
> >
> > Cisco:Cisco-Avpair = "shell:priv-lvl=15"
> >
> > ..and don't forget the comma after the second line.
>
> Huh? Care to explain?
>
> Looking at http://www.merit.edu/michnet/dial-in/aaa/faq.html#usrvsa and the
> code we downloaded is 3.6B then we need to apply the patch. Where did you
> get your version from?
>
> -Hank
>
>
> > If you debug the RADIUS you can see if it is happy with your
> > Cisco AV-pair attribute or if it is "tossing" it.
> >
> > Regards,
> >
> > Richard
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Hank Nussbacher [SMTP:hank@att.net.il]
> > > Sent: Tuesday, July 23, 2002 8:43 AM
> > > To: cisco-nsp@puck.nether.net
> > > Subject: [nsp] Merit Radius and Cisco authorization
> > >
> > > We are unable to get the Merit Radius to work properly with Cisco
> > > authorization. Authentication works ok but authorization doesn't work:
> > > seven Password = "eight"
> > > Service-Type = Shell-User
> > > Cisco-Avpair = shell:priv-lvl=15
> > >
> > > Can someone send a working Merit Radius server config and the Cisco
> > > commands you use for authorization:
> > > aaa authorization exec default radius if-authenticated
> > >
> > > Thanks,
> > > Hank
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list
> > > cisco-nsp@puck.nether.net
> > > http://puck.nether.net/mailman/listinfo/cisco-nsp
> >
> >
> >**********************************************************************
> >This message may contain information which is confidential or privileged.
> >If you are not the intended recipient, please advise the sender immediately
> >by reply e-mail and delete this message and any attachments
> >without retaining a copy.
> >
> >**********************************************************************


**********************************************************************
This message may contain information which is confidential or privileged.
If you are not the intended recipient, please advise the sender immediately
by reply e-mail and delete this message and any attachments
without retaining a copy.

**********************************************************************