Privilege level is always 15

12-12-2003

Hi all,

I'm using RADIUS to authenticate and authorize users for a shell
access to some
routers. When I was running IOS 12.2 on routers, everything was OK.
But after
upgrade to 12.3 train, the user gets always priv-lvl 15 regardless
what I set
in RADIUS profile for the user. I attache the debug output
aaa authentication
aaa authorization
radius

from C1605R router at first for IOS 12.2 (19) then for 12.3(5). The
output
shows, that router is processing CISCO-AV pair priv-lvl=X two times.
In release 12.2 at first priv-lvl=15 and then priv-lvl=3 (sent from
RADIUS).
In release 12.3 it's vice versa. Can somebody advise me, where is
priv-lvl=15
coming from? In the RADIUS profile for user "test" is only
shell

riv-lvl=3

Thanks,

Miroslav Noversky

IOS 12.2 (19) c1600-sy-mz.122-19.bin
-------------------------------------

Router#
*Mar 1 00:21:27.590: AAA: parse name=tty1 idb type=-1 tty=-1
*Mar 1 00:21:27.590: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0
adapter=0 port=1 channel=0
*Mar 1 00:21:27.594: AAA/MEMORY: create_user (0x29AF54C) user='NULL'
ruser='NULL' ds0=0 port='tty1' rem_addr='10.0.29.2' authen_type=ASCI
I service=LOGIN priv=1 initial_task_id='0'
*Mar 1 00:21:27.598: AAA/AUTHEN/START (1341166676): port='tty1'
list='shell' action=LOGIN service=LOGIN
*Mar 1 00:21:27.598: AAA/AUTHEN/START (1341166676): found list shell
*Mar 1 00:21:27.602: AAA/AUTHEN/START (1341166676): Method=shell
(radius)
*Mar 1 00:21:27.602: AAA/AUTHEN (1341166676): status = GETUSER
*Mar 1 00:21:29.812: AAA/AUTHEN/CONT (1341166676): continue_login
(user='(undef)')
*Mar 1 00:21:29.816: AAA/AUTHEN (1341166676): status = GETUSER
*Mar 1 00:21:29.816: AAA/AUTHEN (1341166676): Method=shell (radius)
*Mar 1 00:21:29.820: AAA/AUTHEN (1341166676): status = GETPASS
*Mar 1 00:21:40.089: AAA/AUTHEN/CONT (1341166676): continue_login
(user='test')
*Mar 1 00:21:40.093: AAA/AUTHEN (1341166676): status = GETPASS
*Mar 1 00:21:40.093: AAA/AUTHEN (1341166676): Method=shell (radius)
*Mar 1 00:21:40.097: RADIUS: ustruct sharecount=1
*Mar 1 00:21:40.097: Radius: radius_port_info() success=1
radius_nas_port=1
*Mar 1 00:21:40.101: RADIUS: Initial Transmit tty1 id 4
10.0.1.117:1645, Access-Request, len 76
*Mar 1 00:21:40.105: Attribute 4 6 0A0003C9
*Mar 1 00:21:40.105: Attribute 5 6 00000001
*Mar 1 00:21:40.105: Attribute 61 6 00000005
*Mar 1 00:21:40.109: Attribute 1 6 74657374
*Mar 1 00:21:40.109: Attribute 31 14 3139352E
*Mar 1 00:21:40.113: Attribute 2 18 25D93569
*Mar 1 00:21:40.125: RADIUS: Received from id 4 10.0.1.117:1645,
Access-Accept, len 58
*Mar 1 00:21:40.125: Attribute 6 6 00000006
*Mar 1 00:21:40.129: Attribute 25 8 5348454C
*Mar 1 00:21:40.129: Attribute 26 24 0000000901127368
*Mar 1 00:21:40.133: RADIUS: saved authorization data for user
29AF54C at 2B27814
*Mar 1 00:21:40.137: AAA/AUTHEN (1341166676): status = PASS
*Mar 1 00:21:40.137: tty1 AAA/AUTHOR/EXEC (1502232992): Port='tty1'
list='shell' service=EXEC
*Mar 1 00:21:40.141: AAA/AUTHOR/EXEC: tty1 (1502232992) user='test'
*Mar 1 00:21:40.141: tty1 AAA/AUTHOR/EXEC (1502232992): send AV
service=shell
*Mar 1 00:21:40.145: tty1 AAA/AUTHOR/EXEC (1502232992): send AV cmd*
*Mar 1 00:21:40.145: tty1 AAA/AUTHOR/EXEC (1502232992): found list
"shell"
*Mar 1 00:21:40.149: tty1 AAA/AUTHOR/EXEC (1502232992): Method=shell
(radius)
*Mar 1 00:21:40.153: RADIUS: cisco AVPair "shell

riv-lvl=3"
*Mar 1 00:21:40.153: AAA/AUTHOR (1502232992): Post authorization
status = PASS_ADD
*Mar 1 00:21:40.157: AAA/AUTHOR/EXEC: Processing AV service=shell
*Mar 1 00:21:40.161: AAA/AUTHOR/EXEC: Processing AV cmd*
*Mar 1 00:21:40.161: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15
*Mar 1 00:21:40.161: AAA/AUTHOR/EXEC: Processing AV priv-lvl=3
*Mar 1 00:21:40.165: AAA/AUTHOR/EXEC: Authorization successful
Router#

IOS 12.3 (5) c1600-sy-mz.123-5.bin
----------------------------------

*Mar 1 00:00:56.595: %SNMP-5-COLDSTART: SNMP agent on host Router is
undergoing a cold start
*Mar 1 00:02:30.907: AAA/BIND(00000002): Bind i/f
*Mar 1 00:02:30.911: AAA/AUTHEN/LOGIN (00000002): Pick method list
'shell'
*Mar 1 00:02:30.918: RADIUS/ENCODE(00000002): ask "Username: "
*Mar 1 00:02:30.918: RADIUS/ENCODE(00000002): send packet; GET_USER
*Mar 1 00:02:32.660: RADIUS/ENCODE(00000002): ask "Password: "
*Mar 1 00:02:32.660: RADIUS/ENCODE(00000002): send packet;
GET_PASSWORD
*Mar 1 00:02:36.601: RADIUS: AAA Unsupported [152] 4
*Mar 1 00:02:36.605: RADIUS: 74 74
[tt]
*Mar 1 00:02:36.609: RADIUS(00000002): Storing nasport 1 in rad_db
*Mar 1 00:02:36.613: RADIUS/ENCODE(00000002): dropping service type,
"radius-server attribute 6 on-for-login-auth" is off
*Mar 1 00:02:36.613: RADIUS(00000002): Config NAS IP: 0.0.0.0
*Mar 1 00:02:36.616: RADIUS/ENCODE(00000002): acct_session_id: 2
*Mar 1 00:02:36.616: RADIUS(00000002): sending
*Mar 1 00:02:36.620: RADIUS/ENCODE: Best Local IP-Address 10.0.3.201
for Radius-Server 10.0.1.117
*Mar 1 00:02:36.624: RADIUS(00000002): Send Access-Request to
10.0.1.117:1645 id 1645/1, len 76
*Mar 1 00:02:36.632: RADIUS: authenticator FD 8D C6 56 A4 E4 47 4B -
E4 48 EF 33 B3 0F 33 EF
*Mar 1 00:02:36.632: RADIUS: User-Name [1] 6 "test"
*Mar 1 00:02:36.636: RADIUS: User-Password [2] 18 *
*Mar 1 00:02:36.636: RADIUS: NAS-Port [5] 6 1
*Mar 1 00:02:36.640: RADIUS: NAS-Port-Type [61] 6 Virtual
[5]
*Mar 1 00:02:36.640: RADIUS: Calling-Station-Id [31] 14
"10.0.29.2"
*Mar 1 00:02:36.644: RADIUS: NAS-IP-Address [4] 6
10.0.3.201
*Mar 1 00:02:36.656: RADIUS: Received from id 1645/1 10.0.1.117:1645,
Access-Accept, len 58
*Mar 1 00:02:36.660: RADIUS: authenticator 63 52 49 66 20 66 F3 F4 -
C1 C6 F9 E1 87 B2 AC AA
*Mar 1 00:02:36.664: RADIUS: Service-Type [6] 6
Administrative [6]
*Mar 1 00:02:36.668: RADIUS: Class [25] 8
*Mar 1 00:02:36.672: RADIUS: 53 48 45 4C 4C 3A
[SHELL:]
*Mar 1 00:02:36.672: RADIUS: Vendor, Cisco [26] 24
*Mar 1 00:02:36.672: RADIUS: Cisco AVpair [1] 18
"shell

riv-lvl=3"
*Mar 1 00:02:36.680: RADIUS(00000002): Received from id 1645/1
*Mar 1 00:02:36.688: AAA/AUTHOR/EXEC(00000002): processing AV
priv-lvl=3
*Mar 1 00:02:36.688: AAA/AUTHOR/EXEC(00000002): processing AV
priv-lvl=15
*Mar 1 00:02:36.692: AAA/AUTHOR/EXEC(00000002): Authorization
successful
Router#

freco · 01-26-2010

Did you find a solution???????

Please let me know...

Thanks, Matthias

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
PIX 6 ssh login with AAA doesn't set privilege level	Tilman Schmidt	Cisco	0	07-04-2007 09:56 AM
Level 14 Privilege Level	Fred Atkinson	Cisco	10	02-26-2007 12:59 AM
Restrictied Privilege Level	Fred Atkinson	Cisco	1	02-09-2007 12:28 AM
Privilege level for VPN Access	Thomas Miller	Cisco	2	02-06-2006 08:55 PM
Privilege level change for the sho run command	bTq78	Cisco	6	06-22-2004 04:00 AM