Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Privilege level is always 15

Reply
Thread Tools

Privilege level is always 15

 
 
Miroslav Noversky
Guest
Posts: n/a
 
      12-12-2003
Hi all,

I'm using RADIUS to authenticate and authorize users for a shell
access to some
routers. When I was running IOS 12.2 on routers, everything was OK.
But after
upgrade to 12.3 train, the user gets always priv-lvl 15 regardless
what I set
in RADIUS profile for the user. I attache the debug output
aaa authentication
aaa authorization
radius

from C1605R router at first for IOS 12.2 (19) then for 12.3(5). The
output
shows, that router is processing CISCO-AV pair priv-lvl=X two times.
In release 12.2 at first priv-lvl=15 and then priv-lvl=3 (sent from
RADIUS).
In release 12.3 it's vice versa. Can somebody advise me, where is
priv-lvl=15
coming from? In the RADIUS profile for user "test" is only
shellriv-lvl=3

Thanks,

Miroslav Noversky


IOS 12.2 (19) c1600-sy-mz.122-19.bin
-------------------------------------

Router#
*Mar 1 00:21:27.590: AAA: parse name=tty1 idb type=-1 tty=-1
*Mar 1 00:21:27.590: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0
adapter=0 port=1 channel=0
*Mar 1 00:21:27.594: AAA/MEMORY: create_user (0x29AF54C) user='NULL'
ruser='NULL' ds0=0 port='tty1' rem_addr='10.0.29.2' authen_type=ASCI
I service=LOGIN priv=1 initial_task_id='0'
*Mar 1 00:21:27.598: AAA/AUTHEN/START (1341166676): port='tty1'
list='shell' action=LOGIN service=LOGIN
*Mar 1 00:21:27.598: AAA/AUTHEN/START (1341166676): found list shell
*Mar 1 00:21:27.602: AAA/AUTHEN/START (1341166676): Method=shell
(radius)
*Mar 1 00:21:27.602: AAA/AUTHEN (1341166676): status = GETUSER
*Mar 1 00:21:29.812: AAA/AUTHEN/CONT (1341166676): continue_login
(user='(undef)')
*Mar 1 00:21:29.816: AAA/AUTHEN (1341166676): status = GETUSER
*Mar 1 00:21:29.816: AAA/AUTHEN (1341166676): Method=shell (radius)
*Mar 1 00:21:29.820: AAA/AUTHEN (1341166676): status = GETPASS
*Mar 1 00:21:40.089: AAA/AUTHEN/CONT (1341166676): continue_login
(user='test')
*Mar 1 00:21:40.093: AAA/AUTHEN (1341166676): status = GETPASS
*Mar 1 00:21:40.093: AAA/AUTHEN (1341166676): Method=shell (radius)
*Mar 1 00:21:40.097: RADIUS: ustruct sharecount=1
*Mar 1 00:21:40.097: Radius: radius_port_info() success=1
radius_nas_port=1
*Mar 1 00:21:40.101: RADIUS: Initial Transmit tty1 id 4
10.0.1.117:1645, Access-Request, len 76
*Mar 1 00:21:40.105: Attribute 4 6 0A0003C9
*Mar 1 00:21:40.105: Attribute 5 6 00000001
*Mar 1 00:21:40.105: Attribute 61 6 00000005
*Mar 1 00:21:40.109: Attribute 1 6 74657374
*Mar 1 00:21:40.109: Attribute 31 14 3139352E
*Mar 1 00:21:40.113: Attribute 2 18 25D93569
*Mar 1 00:21:40.125: RADIUS: Received from id 4 10.0.1.117:1645,
Access-Accept, len 58
*Mar 1 00:21:40.125: Attribute 6 6 00000006
*Mar 1 00:21:40.129: Attribute 25 8 5348454C
*Mar 1 00:21:40.129: Attribute 26 24 0000000901127368
*Mar 1 00:21:40.133: RADIUS: saved authorization data for user
29AF54C at 2B27814
*Mar 1 00:21:40.137: AAA/AUTHEN (1341166676): status = PASS
*Mar 1 00:21:40.137: tty1 AAA/AUTHOR/EXEC (1502232992): Port='tty1'
list='shell' service=EXEC
*Mar 1 00:21:40.141: AAA/AUTHOR/EXEC: tty1 (1502232992) user='test'
*Mar 1 00:21:40.141: tty1 AAA/AUTHOR/EXEC (1502232992): send AV
service=shell
*Mar 1 00:21:40.145: tty1 AAA/AUTHOR/EXEC (1502232992): send AV cmd*
*Mar 1 00:21:40.145: tty1 AAA/AUTHOR/EXEC (1502232992): found list
"shell"
*Mar 1 00:21:40.149: tty1 AAA/AUTHOR/EXEC (1502232992): Method=shell
(radius)
*Mar 1 00:21:40.153: RADIUS: cisco AVPair "shellriv-lvl=3"
*Mar 1 00:21:40.153: AAA/AUTHOR (1502232992): Post authorization
status = PASS_ADD
*Mar 1 00:21:40.157: AAA/AUTHOR/EXEC: Processing AV service=shell
*Mar 1 00:21:40.161: AAA/AUTHOR/EXEC: Processing AV cmd*
*Mar 1 00:21:40.161: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15
*Mar 1 00:21:40.161: AAA/AUTHOR/EXEC: Processing AV priv-lvl=3
*Mar 1 00:21:40.165: AAA/AUTHOR/EXEC: Authorization successful
Router#


IOS 12.3 (5) c1600-sy-mz.123-5.bin
----------------------------------

*Mar 1 00:00:56.595: %SNMP-5-COLDSTART: SNMP agent on host Router is
undergoing a cold start
*Mar 1 00:02:30.907: AAA/BIND(00000002): Bind i/f
*Mar 1 00:02:30.911: AAA/AUTHEN/LOGIN (00000002): Pick method list
'shell'
*Mar 1 00:02:30.918: RADIUS/ENCODE(00000002): ask "Username: "
*Mar 1 00:02:30.918: RADIUS/ENCODE(00000002): send packet; GET_USER
*Mar 1 00:02:32.660: RADIUS/ENCODE(00000002): ask "Password: "
*Mar 1 00:02:32.660: RADIUS/ENCODE(00000002): send packet;
GET_PASSWORD
*Mar 1 00:02:36.601: RADIUS: AAA Unsupported [152] 4
*Mar 1 00:02:36.605: RADIUS: 74 74
[tt]
*Mar 1 00:02:36.609: RADIUS(00000002): Storing nasport 1 in rad_db
*Mar 1 00:02:36.613: RADIUS/ENCODE(00000002): dropping service type,
"radius-server attribute 6 on-for-login-auth" is off
*Mar 1 00:02:36.613: RADIUS(00000002): Config NAS IP: 0.0.0.0
*Mar 1 00:02:36.616: RADIUS/ENCODE(00000002): acct_session_id: 2
*Mar 1 00:02:36.616: RADIUS(00000002): sending
*Mar 1 00:02:36.620: RADIUS/ENCODE: Best Local IP-Address 10.0.3.201
for Radius-Server 10.0.1.117
*Mar 1 00:02:36.624: RADIUS(00000002): Send Access-Request to
10.0.1.117:1645 id 1645/1, len 76
*Mar 1 00:02:36.632: RADIUS: authenticator FD 8D C6 56 A4 E4 47 4B -
E4 48 EF 33 B3 0F 33 EF
*Mar 1 00:02:36.632: RADIUS: User-Name [1] 6 "test"
*Mar 1 00:02:36.636: RADIUS: User-Password [2] 18 *
*Mar 1 00:02:36.636: RADIUS: NAS-Port [5] 6 1
*Mar 1 00:02:36.640: RADIUS: NAS-Port-Type [61] 6 Virtual
[5]
*Mar 1 00:02:36.640: RADIUS: Calling-Station-Id [31] 14
"10.0.29.2"
*Mar 1 00:02:36.644: RADIUS: NAS-IP-Address [4] 6
10.0.3.201
*Mar 1 00:02:36.656: RADIUS: Received from id 1645/1 10.0.1.117:1645,
Access-Accept, len 58
*Mar 1 00:02:36.660: RADIUS: authenticator 63 52 49 66 20 66 F3 F4 -
C1 C6 F9 E1 87 B2 AC AA
*Mar 1 00:02:36.664: RADIUS: Service-Type [6] 6
Administrative [6]
*Mar 1 00:02:36.668: RADIUS: Class [25] 8
*Mar 1 00:02:36.672: RADIUS: 53 48 45 4C 4C 3A
[SHELL:]
*Mar 1 00:02:36.672: RADIUS: Vendor, Cisco [26] 24
*Mar 1 00:02:36.672: RADIUS: Cisco AVpair [1] 18
"shellriv-lvl=3"
*Mar 1 00:02:36.680: RADIUS(00000002): Received from id 1645/1
*Mar 1 00:02:36.688: AAA/AUTHOR/EXEC(00000002): processing AV
priv-lvl=3
*Mar 1 00:02:36.688: AAA/AUTHOR/EXEC(00000002): processing AV
priv-lvl=15
*Mar 1 00:02:36.692: AAA/AUTHOR/EXEC(00000002): Authorization
successful
Router#
 
Reply With Quote
 
 
 
 
freco freco is offline
Junior Member
Join Date: Jan 2010
Posts: 1
 
      01-26-2010
Did you find a solution???????

Please let me know...

Thanks, Matthias
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 6 ssh login with AAA doesn't set privilege level Tilman Schmidt Cisco 0 07-04-2007 09:56 AM
Level 14 Privilege Level Fred Atkinson Cisco 10 02-26-2007 12:59 AM
Restrictied Privilege Level Fred Atkinson Cisco 1 02-09-2007 12:28 AM
Privilege level for VPN Access Thomas Miller Cisco 2 02-06-2006 08:55 PM
Privilege level change for the sho run command bTq78 Cisco 6 06-22-2004 04:00 AM



Advertisments