Header Only - DO NOT REMOVE - Extreme Networks

X460-24x and FreeRadius


Userlevel 4
Create Date: Aug 14 2012 11:06PM

Good day!
May be you can help me?
I have a X460-24x configured to be a radius client.
But can't login to switch with read-write privileges. Only with read rights.
The user in userss file looks like:
user Crypt-Password := '/fc/f%Q(T2msY', Auth-Type := Crypt-Local
Service-Type = NAS-Prompt-User,
Service-Type = Login-User,
Cisco-AVPair = "shell:priv-lvl=15",
Extreme-CLI-Authorization = Disabled

I have added to the dictionary file:
VENDOR Extreme 1916
BEGIN-VENDOR Extreme
ATTRIBUTE Extreme-CLI-Authorization 201 integer Extreme
ATTRIBUTE Extreme-Shell-Command 202 string Extreme
ATTRIBUTE Extreme-Netlogin-Vlan 203 string Extreme
ATTRIBUTE Extreme-Netlogin-Url 204 string Extreme
ATTRIBUTE Extreme-Netlogin-Url-Desc 205 string Extreme
ATTRIBUTE Extreme-Netlogin-Only 206 integer Extreme
ATTRIBUTE Extreme-User-Location 208 string Extreme
ATTRIBUTE Extreme-Netlogin-Vlan-Tag 209 integer Extreme
ATTRIBUTE Extreme-Netlogin-Extended-Vlan 211 string Extreme
ATTRIBUTE Extreme-Security-Profile 212 string Extreme
VALUE Extreme-CLI-Authorization Disabled 0
VALUE Extreme-CLI-Authorization Enabled 1
VALUE Extreme-Netlogin-Only Disabled 0
VALUE Extreme-Netlogin-Only Enabled 1
END-VENDOR Extreme

Then i'am trying to login tcpdump shows:
Access Accept (2), id: 0x56, Authenticator: bb4ce22bbe219e946974870d0dd5005a
Service Type Attribute (6), length: 6, Value: NAS Prompt
Vendor Specific Attribute (26), length: 25, Value: Vendor: Cisco (9)
Vendor Attribute: 1, Length: 17, Value: shell:priv-lvl=15
Vendor Specific Attribute (26), length: 12, Value: Vendor: Unknown (1916)
Vendor Attribute: 201, Length: 4, Value: ....

I see that Vendor Attribute: 201 value is .... But it should be 0 i think.

At the same time radiusd -x shows:
Sending Access-Accept of id 87 to 192.168.1.2 port 56198
Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=15"
Extreme-CLI-Authorization = Disabled

There is a string value - Disabled. That's better but anyway i thought it should be 0.
May be this is the case. What can you suggest?
Thank you! (from Tim_Kap)

1 reply

Userlevel 4
Create Date: Aug 16 2012 4:03PM

You will need this attribute:

Service-Type = Administrative (from john_padilla)

Reply