We help IT Professionals succeed at work.

radius server

Medium Priority
1,795 Views
Last Modified: 2012-05-06
i can connect with the radius server but i need setup help, it keeps rejecting the authentication
Comment
Watch Question

Commented:
We need more information about what you've done and how you want it to work.

Seeing the tags you chose...  Are you trying to authenticate a Cisco device against FreeRADIUS?

What authentication backend are you using, where do you want FreeRADIUS to get users and passwords from?

I.e.
Do you want to build a text database in /etc/raddb/users, and specify users and passwords there in the clear,  or maybe just users and pull passwords from somewhere else?
Do you want to authenticate using unix users and passwords,
Do you have a MySQL database you want to use with the sql backend,  ?


There are numerous ways to set FreeRADIUS up, so we need to know how you want it to work, and what you've done to configure it, i.e. which files did you change, what did you change?

 

Author

Commented:
i am using RADL not free radius, this is what it has a database, a flt text file
#
#       This file contains security and configuration information
#       for each user.  The first field is the user's name and
#       can be up to 8 characters in length.  This is followed (on
#       the same line) with the list of authentication requirements
#       for that user.  This can include password, comm server name,
#       comm server port number, and an expiration date of the user's
#       password.  When an authentication request is receive from
#       the comm server, these values are tested.  A special user named
#       "DEFAULT" can be created (and should be placed at the end of
#       the user file) to specify what to do with users not contained
#       in the user file.  A special password of "UNIX" can be specified
#       to notify the authentication server to use UNIX password (/etc/passwd)
#       authentication for this user.
#
#       Indented (with the tab character) lines following the first
#       line indicate the configuration values to be passed back to
#       the comm server to allow the initiation of a user session.
#       This can include things like the PPP configuration values
#       or the host to log the user onto.
#>      Group = "Local"
t      Password = "t"
        User-Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-Route = "10.2.3.0/24",
        Framed-Filter-Id = "102.in",
        Framed-Filter-Id = "103.out",
        cisco-avpair = "ip:addr-pool=first",
        cisco-avpair = "ip:rte_fltr_in*12 igrp 109",
        cisco-avpair = "ipx:outacl=812"

$enabl5$      Password = "t"
        User-Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-Route = "10.2.3.0/24",
        Framed-Filter-Id = "102.in",
        Framed-Filter-Id = "103.out",
        cisco-avpair = "ip:addr-pool=first",
        cisco-avpair = "ip:rte_fltr_in*12 igrp 109",
        cisco-avpair = "ipx:outacl=812"

john    LPassword = "s",
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-Address = 172.16.3.33,
        Framed-Netmask = 255.255.255.0,
        Framed-Routing = Broadcast-Listen,
        Framed-Filter-Id = "std.ppp",
        Framed-MTU = 1500,
        Framed-Compression = Van-Jacobsen-TCP-IP,
        cisco-avpair = "ip:addr-pool=first",
        cisco-avpair = "ip:rte_fltr_in*12 igrp 109",
        cisco-avpair = "ipx:outacl=812",

steve   Password = "testing",
      Expiration = "Dec 24 1992",
        User-Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-Address = 172.16.3.33,
        Framed-Netmask = 255.255.255.0,
        Framed-Routing = Broadcast-Listen,
        Framed-Filter-Id = "std.ppp",
        Framed-MTU = 1500,
        Framed-Compression = Van-Jacobsen-TCP-IP

#>      Group = "Distant"

toto    Password = "tata"
        User-Service-Type = Login-User,
        Login-Host = 172.16.2.7,
        Login-Service = PortMaster

test01  Password = "pp"
        User-Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Login-Host = 255.255.255.255,
        Dialback-No = "9034584444"

test02    Password = "test02"
        User-Service-Type = Dialback-Framed-User,
        Framed-Protocol = PPP,
        Dialback-No = "0934666666"

#
# Example PPP user with address Assigned by PortMaster
#
Peg     Password = "ge55gep"
        User-Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-Address = 255.255.255.254,
        Framed-Netmask = 255.255.255.255,
        Framed-Routing = None,
        Framed-Compression = Van-Jacobsen-TCP-IP,
        Framed-Filter-Id = "std.ppp.in",
        Framed-MTU = 1500

#
# Example SLIP user with specified address
#
Seg     Password = "ge55ges"
        User-Service-Type = Framed-User,
        Framed-Protocol = SLIP,
        Framed-Address = 192.9.200.129,
        Framed-Netmask = 255.255.255.255,
        Framed-Routing = None,
        Framed-Compression = None,
        Framed-MTU = 1006

#
# Example CSLIP user with specified address
#
Ceg     Password = "ge55gec"
        User-Service-Type = Framed-User,
        Framed-Protocol = SLIP,
        Framed-Address = 192.9.200.130,
        Framed-Netmask = 255.255.255.255,
        Framed-Routing = None,
        Framed-Compression = Van-Jacobsen-TCP-IP,
        Framed-MTU = 1006

#
# Prompt user for host
#
eg      Password = "eg"
        User-Service-Type = Login-User,
#       Login-Host = 255.255.255.255,
#       Login-Service = telnet,
#       Login-TCP-Port = 23


#
# Dial user back and telnet to the default host for that port
#
deg     Password = "deg"
        User-Service-Type = Dialback-Login-User,
        Login-Host = 0.0.0.0,
        Dialback-No = "0134586148",
        Login-Service = Telnet,
        Login-TCP-Port = 23

#DEFAULT Password = "345_TTU2Tr"
#        User-Service-Type = Login-User,
#        Login-Service = Rlogin


i cant figure out what to add to authenticate with the cisco switch, i fails no matter what i try
if you could help with an entry it would be appreaciated

Commented:
username10  LPassword="pass123test"
(tab)     Service-Type = NAS-Prompt-User,
(tab)     cisco-avpair = "shell:priv-lvl=15"


It's necessary to have defined an IP address and secret in the RADIUS clients list, had the switch set to use the RADL server as a RADIUS server, and to have RADIUS as an active authentication method on the switch in order to test...

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
GREAT, that worked,  i had to remove the L in front of password

what is the NAS-prompt user

Commented:
The service types are in rfc2865
http://www.ietf.org/rfc/rfc2865.txt

      NAS Prompt          The user should be provided a command prompt
                          on the NAS from which non-privileged commands
                          can be executed.


The default type is generally 'framed', which is for protocols such as PPP or Cisco HDLC.    Framed protocols are used for IP communications,

whereas  "Prompt" service types are used for authenticating to access a local command line for device management.

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.