Step1: Cisco 2960 Configuration
On Cisco 2960s, configuration:aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa authorization exec default group radius localÂ
radius-server host 10.94.200.14 auth-port 1812 acct-port 1646 key cisco
Step2: TekRADIUS LT Server Configuration
On TekRadius Server add three Attributes:Attribute Type Value
UserPassword check Password
cisco-avpair reply shell:priv-lvl=15
Service-Type reply NAS-Prompt
- User-Password , Check Type, Value is the user password
- Cisco-avpair, Success Reply Type, Value is shell:priv-lvl=15
- Service-Type, Success Reply Type, Value is NAS-Prompt
Step 3 Troubleshooting:Â
enable debug on Cisco Switch 2960sdebug aaa authenticationdebug aaa authorizationdebug radius
*Jan  6 01:41:42.421: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.94.200.14(58485) -> 0.0.0.0(22), 1 packet
*Jan  6 01:41:42.652: AAA/BIND(00000073): Bind i/f
*Jan  6 01:41:42.652: AAA/AUTHEN/LOGIN (00000073): Pick method list 'default'
*Jan  6 01:41:42.652: RADIUS/ENCODE(00000073): ask "Password: "
*Jan  6 01:41:42.652: RADIUS/ENCODE(00000073):Orig. component type = EXEC
*Jan  6 01:41:42.652: RADIUS/ENCODE(00000073): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jan  6 01:41:42.652: RADIUS(00000073): Config NAS IP: 0.0.0.0
*Jan  6 01:41:42.652: RADIUS/ENCODE(00000073): acct_session_id: 804
*Jan  6 01:41:42.652: RADIUS(00000073): sending
*Jan  6 01:41:42.657: RADIUS/ENCODE: Best Local IP-Address 10.94.200.11 for Radius-Server 10.94.200.14
*Jan  6 01:41:42.657: RADIUS(00000073): Send Access-Request to 10.94.200.14:1812 id 1645/6, len 94
*Jan  6 01:41:42.657: RADIUS:  authenticator D0 DC 3F 5D 42 8B 88 B4 - 8F 6F C1 A4 57 3B 03 5A
*Jan  6 01:41:42.657: RADIUS:  User-Name      [1]  6  "john"
*Jan  6 01:41:42.657: RADIUS:  Reply-Message    [18]  12
*Jan  6 01:41:42.657: RADIUS:  50 61 73 73 77 6F 72 64 3A 20     [ Password: ]
*Jan  6 01:41:42.657: RADIUS:  User-Password    [2]  18  *
*Jan  6 01:41:42.657: RADIUS:  NAS-Port       [5]  6  2           Â
*Jan  6 01:41:42.657: RADIUS:  NAS-Port-Id     [87]  6  "tty2"
*Jan  6 01:41:42.657: RADIUS:  NAS-Port-Type    [61]  6  Virtual          [5]
*Jan  6 01:41:42.657: RADIUS:  Calling-Station-Id  [31]  14  "10.94.200.14"
*Jan  6 01:41:42.657: RADIUS:  NAS-IP-Address    [4]  6  10.94.200.11      Â
*Jan  6 01:41:42.657: RADIUS(00000073): Started 5 sec timeout
*Jan  6 01:41:42.678: RADIUS: Received from id 1645/6 10.94.200.14:1812, Access-Accept, len 51
*Jan  6 01:41:42.683: RADIUS:  authenticator 13 17 D3 26 DD 33 00 94 - 5B 16 E5 9B EA 5F F4 94
*Jan  6 01:41:42.683: RADIUS:  Vendor, Cisco    [26]  25
*Jan  6 01:41:42.683: RADIUS:  Cisco AVpair    [1]  19  "shell:priv-lvl=15"
GDCM-CSWP2003#
*Jan  6 01:41:42.683: RADIUS:  Service-Type     [6]  6  NAS Prompt         [7]
*Jan  6 01:41:42.683: RADIUS(00000073): Received from id 1645/6
*Jan  6 01:41:42.709: AAA/AUTHOR (00000073): Method list id=0 not configured. Skip author
Step 4: Solution
after a quick search , found there is authorization command missing:line vty 0 4authorization exec AUTHand
aaa authorization exec default group radius
after put those commands in, it works great now.
------------------------------------
(config)#
*Jan  6 01:46:48.002: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.94.200.14(58484) -> 0.0.0.0(22), 1 packet
*Jan  6 01:46:48.002: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.94.200.14(58485) -> 0.0.0.0(22), 1 packet
GDCM-CSWP2003(config)#
*Jan  6 01:46:54.745: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.94.200.14(58488) -> 0.0.0.0(22), 1 packet
*Jan  6 01:46:54.986: AAA/BIND(00000074): Bind i/f
*Jan  6 01:46:54.986: AAA/AUTHEN/LOGIN (00000074): Pick method list 'default'
*Jan  6 01:46:54.986: RADIUS/ENCODE(00000074): ask "Password: "
*Jan  6 01:46:54.986: RADIUS/ENCODE(00000074):Orig. component type = EXEC
*Jan  6 01:46:54.986: RADIUS/ENCODE(00000074): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jan  6 01:46:54.986: RADIUS(00000074): Config NAS IP: 0.0.0.0
*Jan  6 01:46:54.986: RADIUS/ENCODE(00000074): acct_session_id: 811
*Jan  6 01:46:54.986: RADIUS(00000074): sending
*Jan  6 01:46:54.986: RADIUS/ENCODE: Best Local IP-Address 10.94.200.11 for Radius-Server 10.94.200.14
*Jan  6 01:46:54.986: RADIUS(00000074): Send Access-Request to 10.94.200.14:1812 id 1645/7, len 94
*Jan  6 01:46:54.986: RADIUS:  authenticator EF 99 98 AD D5 BC BA E7 - 86 24 59 93 C3 B3 FF 3A
*Jan  6 01:46:54.986: RADIUS:  User-Name      [1]  6  "john"
*Jan  6 01:46:54.986: RADIUS:  Reply-Message    [18]  12
*Jan  6 01:46:54.986: RADIUS:  50 61 73 73 77 6F 72 64 3A 20     [ Password: ]
*Jan  6 01:46:54.986: RADIUS:  User-Password    [2]  18  *
*Jan  6 01:46:54.986: RADIUS:  NAS-Port       [5]  6  2           Â
*Jan  6 01:46:54.991: RADIUS:  NAS-Port-Id     [87]  6  "tty2"
*Jan  6 01:46:54.991: RADIUS:  NAS-Port-Type    [61]  6  Virtual          [5]
*Jan  6 01:46:54.991: RADIUS:  Calling-Station-Id  [31]  14  "10.94.200.14"
*Jan  6 01:46:54.991: RADIUS:  NAS-IP-Address    [4]  6  10.94.200.11      Â
*Jan  6 01:46:54.991: RADIUS(00000074): Started 5 sec timeout
*Jan  6 01:46:55.002: RADIUS: Received from id 1645/7 10.94.200.14:1812, Access-Accept, len 51
*Jan  6 01:46:55.002: RADIUS:  authenticator 64 86 20 C2 B9 D4 32 24 - D8 24 1C 41 64 85 BF 20
*Jan  6 01:46:55.002: RADIUS:  Vendor, Cisco    [26]  25
*Jan  6 01:46:55.002: RADIUS:  Cisco AVpair    [1]  19  "shell:priv-lvl=15"
GDCM-CSWP2003(config)#
*Jan  6 01:46:55.002: RADIUS:  Service-Type     [6]  6  NAS Prompt         [7]
*Jan  6 01:46:55.002: RADIUS(00000074): Received from id 1645/7
*Jan  6 01:46:55.028: AAA/AUTHOR/EXEC(00000074): processing AV priv-lvl=15
*Jan  6 01:46:55.028: AAA/AUTHOR/EXEC(00000074): processing AV service-type=7
*Jan  6 01:46:55.028: AAA/AUTHOR/EXEC(00000074): Authorization successful
![[5 Mins Docker] Deploy FreshRSS Using Docker Run Command and Deploy To Fly.io](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_su5G65ZpWBWcRLYkbASZuTTJ2kCe4duwA8pQyVtGvJG36LJcNoC2aqgf1xPMOZ8LWeQKj7Y8MAU4UdFXG90Eh4K7L00qCap9F-JiSoVxaV5g)
No comments:
Post a Comment