[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1735
  • Last Modified:

radius server

i can connect with the radius server but i need setup help, it keeps rejecting the authentication
0
maxis2cute
Asked:
maxis2cute
  • 3
  • 2
1 Solution
 
MysidiaCommented:
We need more information about what you've done and how you want it to work.

Seeing the tags you chose...  Are you trying to authenticate a Cisco device against FreeRADIUS?

What authentication backend are you using, where do you want FreeRADIUS to get users and passwords from?

I.e.
Do you want to build a text database in /etc/raddb/users, and specify users and passwords there in the clear,  or maybe just users and pull passwords from somewhere else?
Do you want to authenticate using unix users and passwords,
Do you have a MySQL database you want to use with the sql backend,  ?


There are numerous ways to set FreeRADIUS up, so we need to know how you want it to work, and what you've done to configure it, i.e. which files did you change, what did you change?

 
0
 
maxis2cuteAuthor Commented:
i am using RADL not free radius, this is what it has a database, a flt text file
#
#       This file contains security and configuration information
#       for each user.  The first field is the user's name and
#       can be up to 8 characters in length.  This is followed (on
#       the same line) with the list of authentication requirements
#       for that user.  This can include password, comm server name,
#       comm server port number, and an expiration date of the user's
#       password.  When an authentication request is receive from
#       the comm server, these values are tested.  A special user named
#       "DEFAULT" can be created (and should be placed at the end of
#       the user file) to specify what to do with users not contained
#       in the user file.  A special password of "UNIX" can be specified
#       to notify the authentication server to use UNIX password (/etc/passwd)
#       authentication for this user.
#
#       Indented (with the tab character) lines following the first
#       line indicate the configuration values to be passed back to
#       the comm server to allow the initiation of a user session.
#       This can include things like the PPP configuration values
#       or the host to log the user onto.
#>      Group = "Local"
t      Password = "t"
        User-Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-Route = "10.2.3.0/24",
        Framed-Filter-Id = "102.in",
        Framed-Filter-Id = "103.out",
        cisco-avpair = "ip:addr-pool=first",
        cisco-avpair = "ip:rte_fltr_in*12 igrp 109",
        cisco-avpair = "ipx:outacl=812"

$enabl5$      Password = "t"
        User-Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-Route = "10.2.3.0/24",
        Framed-Filter-Id = "102.in",
        Framed-Filter-Id = "103.out",
        cisco-avpair = "ip:addr-pool=first",
        cisco-avpair = "ip:rte_fltr_in*12 igrp 109",
        cisco-avpair = "ipx:outacl=812"

john    LPassword = "s",
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-Address = 172.16.3.33,
        Framed-Netmask = 255.255.255.0,
        Framed-Routing = Broadcast-Listen,
        Framed-Filter-Id = "std.ppp",
        Framed-MTU = 1500,
        Framed-Compression = Van-Jacobsen-TCP-IP,
        cisco-avpair = "ip:addr-pool=first",
        cisco-avpair = "ip:rte_fltr_in*12 igrp 109",
        cisco-avpair = "ipx:outacl=812",

steve   Password = "testing",
      Expiration = "Dec 24 1992",
        User-Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-Address = 172.16.3.33,
        Framed-Netmask = 255.255.255.0,
        Framed-Routing = Broadcast-Listen,
        Framed-Filter-Id = "std.ppp",
        Framed-MTU = 1500,
        Framed-Compression = Van-Jacobsen-TCP-IP

#>      Group = "Distant"

toto    Password = "tata"
        User-Service-Type = Login-User,
        Login-Host = 172.16.2.7,
        Login-Service = PortMaster

test01  Password = "pp"
        User-Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Login-Host = 255.255.255.255,
        Dialback-No = "9034584444"

test02    Password = "test02"
        User-Service-Type = Dialback-Framed-User,
        Framed-Protocol = PPP,
        Dialback-No = "0934666666"

#
# Example PPP user with address Assigned by PortMaster
#
Peg     Password = "ge55gep"
        User-Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-Address = 255.255.255.254,
        Framed-Netmask = 255.255.255.255,
        Framed-Routing = None,
        Framed-Compression = Van-Jacobsen-TCP-IP,
        Framed-Filter-Id = "std.ppp.in",
        Framed-MTU = 1500

#
# Example SLIP user with specified address
#
Seg     Password = "ge55ges"
        User-Service-Type = Framed-User,
        Framed-Protocol = SLIP,
        Framed-Address = 192.9.200.129,
        Framed-Netmask = 255.255.255.255,
        Framed-Routing = None,
        Framed-Compression = None,
        Framed-MTU = 1006

#
# Example CSLIP user with specified address
#
Ceg     Password = "ge55gec"
        User-Service-Type = Framed-User,
        Framed-Protocol = SLIP,
        Framed-Address = 192.9.200.130,
        Framed-Netmask = 255.255.255.255,
        Framed-Routing = None,
        Framed-Compression = Van-Jacobsen-TCP-IP,
        Framed-MTU = 1006

#
# Prompt user for host
#
eg      Password = "eg"
        User-Service-Type = Login-User,
#       Login-Host = 255.255.255.255,
#       Login-Service = telnet,
#       Login-TCP-Port = 23


#
# Dial user back and telnet to the default host for that port
#
deg     Password = "deg"
        User-Service-Type = Dialback-Login-User,
        Login-Host = 0.0.0.0,
        Dialback-No = "0134586148",
        Login-Service = Telnet,
        Login-TCP-Port = 23

#DEFAULT Password = "345_TTU2Tr"
#        User-Service-Type = Login-User,
#        Login-Service = Rlogin


i cant figure out what to add to authenticate with the cisco switch, i fails no matter what i try
if you could help with an entry it would be appreaciated

0
 
MysidiaCommented:
username10  LPassword="pass123test"
(tab)     Service-Type = NAS-Prompt-User,
(tab)     cisco-avpair = "shell:priv-lvl=15"


It's necessary to have defined an IP address and secret in the RADIUS clients list, had the switch set to use the RADL server as a RADIUS server, and to have RADIUS as an active authentication method on the switch in order to test...
0
 
maxis2cuteAuthor Commented:
GREAT, that worked,  i had to remove the L in front of password

what is the NAS-prompt user

0
 
MysidiaCommented:
The service types are in rfc2865
http://www.ietf.org/rfc/rfc2865.txt

      NAS Prompt          The user should be provided a command prompt
                          on the NAS from which non-privileged commands
                          can be executed.


The default type is generally 'framed', which is for protocols such as PPP or Cisco HDLC.    Framed protocols are used for IP communications,

whereas  "Prompt" service types are used for authenticating to access a local command line for device management.

0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now