'Cisco IOS12.1(2)T / Network Authorization'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cistron-radius
Subject:    Cisco IOS12.1(2)T / Network Authorization
From:       Horia Chirculescu <horia () ct2 ! eltop ! ro>
Date:       2001-02-27 15:02:02
[Download RAW message or body]

If I configure the router to use radius for authentication
(aaa authorization network default group radius), nobody can start a ppp
session anymore.
Debugging info: (with: 
                aaa authorization is on
                aaa per-user is on
                )


AAA/AUTHOR/PPP: send AV service=ppp
                send AV protocol=ip
 ...            send AV routing*true
 ...            found list "default"
 ...            Method=radius (radius)
AAA/AUTHOR      Post authorization status=FAIL
AAA/AUTHOR/SLIP Async13 : denied


And the interface goes down.

I attached the users file from radiusd-cistron (1.6.4) that I curentlly 
use.

All of that is to setup an e-mail only account (and a lot of other things
cam be made with virtual profiles...)

Any ideas?


Have a nice day!



                           ____    ____    o           ~ 
               //     //  / __ \  //   \  // //''''  //\\
              //_____//  / / / / //___ / // //      //  \\
             //     //  / /_/ / // \    // //      //____\\ 
            //     //   \____/ //   \  //  \\.... //      \\
 ------------------------------------------------------------------------
                          Comtec Net Romania
           ----------------------------------------------------
         WEB: www.eltop.ro IRC: irc.eltop.ro NEWS: news.eltop.ro
           ----------------------------------------------------
                    Horia Chirculescu root@eltop.ro
                         Mobil: +40 93 205 086


["users" (TEXT/PLAIN)]

#
#	This file contains security and configuration information
#	for each user.  The first field is the user's name and
#	can be up to 8 characters in length.  This is followed (on
#	the same line) with the list of authentication requirements
#	for that user.  This can include password, comm server name,
#	comm server port number, protocol type (perhaps set by the "hints"
#	file), and huntgroup name (set by the "huntgroups" file).
#
#	When an authentication request is received from the comm server,
#	these values are tested. Only the first match is used unless the
#	"Fall-Through" variable is set to "Yes".
#
#	A special user named "DEFAULT" matches on all usernames.
#	You can have several DEFAULT entries. All entries are processed
#	in the order they appear in this file. The first entry that
#	matches the login-request will stop processing unless you use
#	the Fall-Through variable.
#
#	If you use the database support to turn this file into a .db or .dbm
#	file, the DEFAULT entries _have_ to be at the end of this file and
#	you can't have multiple entries for one username.
#
#	You don't need to specify a password if you set Auth-Type = System
#	on the list of authentication requirements. The RADIUS server
#	will then check the system password file.
#
#	Indented (with the tab character) lines following the first
#	line indicate the configuration values to be passed back to
#	the comm server to allow the initiation of a user session.
#	This can include things like the PPP configuration values
#	or the host to log the user onto.
#
#	You can include another `users' file with `$INCLUDE users.other'
#

#
# This is a complete entry for "steve". Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used.
#
#horia	Auth-Type = Local, Password = "horia"
#	Service-Type = Framed-User,
#	Framed-Protocol = PPP,
#	Framed-IP-Address = 172.16.3.33,
#	Framed-IP-Netmask = 255.255.255.0,
#	Framed-Routing = Broadcast-Listen,
#	Framed-MTU = 1500,
#	Framed-Compression = Van-Jacobson-TCP-IP,
#	Fall-Through = 1

#
############### Utilizator de mail...
############### Trebuie sa faca parte din grupul 80
#email		Auth-Type = System
#		Framed-Filter-Id = "160.in"
#		Framed-Filter-Id = "161.out"
#		Fall-Through = 1

############### Utilizator de noapte...
############### Trebuie sa faca parte din grupul 70
#noapte		Auth-Type = System, Group = "bluenight"
#		Fall-Through = 1

#
#
#
# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#

#
# First setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#

# Un grup care nu poate sa se logheze...
# 
DEFAULT Group = "neplata",  Auth-Type = Reject
	Reply-Message = "Datorita neplatii, nu aveti acces in reteaua noastra!",
	Fall-Through = 0

DEFAULT	Auth-Type = System
	Fall-Through = 1

DEFAULT Simultaneous-Use = 1
	Fall-Through = 1

################ De aici incolo corelez /etc/group cu tipurile de abonament

DEFAULT Group = "bluenight", Login-Time = "Mo-Su 2300-0700"
	Fall-Through = 1

DEFAULT Group = "weekend", Login-Time = "Sa-Su 0800-2000"
	Fall-Through = 1

DEFAULT Group = "worktime", Login-Time = "Mo-Su 0900-1500"
	Fall-Through = 1

DEFAULT Group = "mailonly"
	User-Service-Type = Framed-User,
	Framed-Protocol = PPP,
########Filter-Id = "160.in",
	Cisco-AVPair = "ip:inacl#1=permit udp any 194.153.230.200 eq \
domain\nip:inacl#1=permit tcp any 194.153.230.200 eq domain\nip:inacl#1=permit ip any \
host 194.254.230.245 log\nip:inacl#1 deny ip any any",  Fall-Through = 0

#
# Defaults for all framed connections.
#
#DEFAULT	Service-Type = Framed-User
#	Framed-Protocol = PPP,
##	Framed-IP-Address = 194.153.230.160+,
#	Framed-IP-Netmask = 255.255.255.128,
#	Framed-Routing = Broadcast-Listen,
#	Framed-MTU = 576,
#	Framed-Compression = Van-Jacobson-TCP-IP,
#	Service-Type = Framed-User,
#	Fall-Through = Yes

# Set up different IP address pools for the terminal servers.
# Note that the "+" behind the IP address means that this is the "base"
# IP address. The Port-Id (S0, S1 etc) will be added to it.
#
#DEFAULT	Service-Type = Framed-User, Huntgroup-Name = "cisco"
#		Framed-IP-Address = 194.153.230.160+,
#		Fall-Through = Yes
#
#DEFAULT	Service-Type = Framed-User, Huntgroup-Name = "ciscoplus"
#		Framed-IP-Address = 194.153.230.176+,
#		Fall-Through = Yes

#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
#	by the terminal server in which case there may not be a "P" suffix.
#	The terminal server sends "Framed-Protocol = PPP" for auto PPP.
#
DEFAULT	Framed-Protocol = PPP
	Framed-Protocol = PPP,
	Framed-Compression = Van-Jacobson-TCP-IP

#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT	Hint = "CSLIP"
	Framed-Protocol = SLIP,
	Framed-Compression = Van-Jacobson-TCP-IP

#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT	Hint = "SLIP"
	Framed-Protocol = SLIP

# On no match, the user is denied access.


- 
Please read this lists info at http://www.miquels.cistron.nl/radius/list/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic