Privilege level is always 15

Discussion in 'Cisco' started by Miroslav Noversky, Dec 12, 2003.

  1. Hi all,

    I'm using RADIUS to authenticate and authorize users for a shell
    access to some
    routers. When I was running IOS 12.2 on routers, everything was OK.
    But after
    upgrade to 12.3 train, the user gets always priv-lvl 15 regardless
    what I set
    in RADIUS profile for the user. I attache the debug output
    aaa authentication
    aaa authorization
    radius

    from C1605R router at first for IOS 12.2 (19) then for 12.3(5). The
    output
    shows, that router is processing CISCO-AV pair priv-lvl=X two times.
    In release 12.2 at first priv-lvl=15 and then priv-lvl=3 (sent from
    RADIUS).
    In release 12.3 it's vice versa. Can somebody advise me, where is
    priv-lvl=15
    coming from? In the RADIUS profile for user "test" is only
    shell:priv-lvl=3

    Thanks,

    Miroslav Noversky


    IOS 12.2 (19) c1600-sy-mz.122-19.bin
    -------------------------------------

    Router#
    *Mar 1 00:21:27.590: AAA: parse name=tty1 idb type=-1 tty=-1
    *Mar 1 00:21:27.590: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0
    adapter=0 port=1 channel=0
    *Mar 1 00:21:27.594: AAA/MEMORY: create_user (0x29AF54C) user='NULL'
    ruser='NULL' ds0=0 port='tty1' rem_addr='10.0.29.2' authen_type=ASCI
    I service=LOGIN priv=1 initial_task_id='0'
    *Mar 1 00:21:27.598: AAA/AUTHEN/START (1341166676): port='tty1'
    list='shell' action=LOGIN service=LOGIN
    *Mar 1 00:21:27.598: AAA/AUTHEN/START (1341166676): found list shell
    *Mar 1 00:21:27.602: AAA/AUTHEN/START (1341166676): Method=shell
    (radius)
    *Mar 1 00:21:27.602: AAA/AUTHEN (1341166676): status = GETUSER
    *Mar 1 00:21:29.812: AAA/AUTHEN/CONT (1341166676): continue_login
    (user='(undef)')
    *Mar 1 00:21:29.816: AAA/AUTHEN (1341166676): status = GETUSER
    *Mar 1 00:21:29.816: AAA/AUTHEN (1341166676): Method=shell (radius)
    *Mar 1 00:21:29.820: AAA/AUTHEN (1341166676): status = GETPASS
    *Mar 1 00:21:40.089: AAA/AUTHEN/CONT (1341166676): continue_login
    (user='test')
    *Mar 1 00:21:40.093: AAA/AUTHEN (1341166676): status = GETPASS
    *Mar 1 00:21:40.093: AAA/AUTHEN (1341166676): Method=shell (radius)
    *Mar 1 00:21:40.097: RADIUS: ustruct sharecount=1
    *Mar 1 00:21:40.097: Radius: radius_port_info() success=1
    radius_nas_port=1
    *Mar 1 00:21:40.101: RADIUS: Initial Transmit tty1 id 4
    10.0.1.117:1645, Access-Request, len 76
    *Mar 1 00:21:40.105: Attribute 4 6 0A0003C9
    *Mar 1 00:21:40.105: Attribute 5 6 00000001
    *Mar 1 00:21:40.105: Attribute 61 6 00000005
    *Mar 1 00:21:40.109: Attribute 1 6 74657374
    *Mar 1 00:21:40.109: Attribute 31 14 3139352E
    *Mar 1 00:21:40.113: Attribute 2 18 25D93569
    *Mar 1 00:21:40.125: RADIUS: Received from id 4 10.0.1.117:1645,
    Access-Accept, len 58
    *Mar 1 00:21:40.125: Attribute 6 6 00000006
    *Mar 1 00:21:40.129: Attribute 25 8 5348454C
    *Mar 1 00:21:40.129: Attribute 26 24 0000000901127368
    *Mar 1 00:21:40.133: RADIUS: saved authorization data for user
    29AF54C at 2B27814
    *Mar 1 00:21:40.137: AAA/AUTHEN (1341166676): status = PASS
    *Mar 1 00:21:40.137: tty1 AAA/AUTHOR/EXEC (1502232992): Port='tty1'
    list='shell' service=EXEC
    *Mar 1 00:21:40.141: AAA/AUTHOR/EXEC: tty1 (1502232992) user='test'
    *Mar 1 00:21:40.141: tty1 AAA/AUTHOR/EXEC (1502232992): send AV
    service=shell
    *Mar 1 00:21:40.145: tty1 AAA/AUTHOR/EXEC (1502232992): send AV cmd*
    *Mar 1 00:21:40.145: tty1 AAA/AUTHOR/EXEC (1502232992): found list
    "shell"
    *Mar 1 00:21:40.149: tty1 AAA/AUTHOR/EXEC (1502232992): Method=shell
    (radius)
    *Mar 1 00:21:40.153: RADIUS: cisco AVPair "shell:priv-lvl=3"
    *Mar 1 00:21:40.153: AAA/AUTHOR (1502232992): Post authorization
    status = PASS_ADD
    *Mar 1 00:21:40.157: AAA/AUTHOR/EXEC: Processing AV service=shell
    *Mar 1 00:21:40.161: AAA/AUTHOR/EXEC: Processing AV cmd*
    *Mar 1 00:21:40.161: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15
    *Mar 1 00:21:40.161: AAA/AUTHOR/EXEC: Processing AV priv-lvl=3
    *Mar 1 00:21:40.165: AAA/AUTHOR/EXEC: Authorization successful
    Router#


    IOS 12.3 (5) c1600-sy-mz.123-5.bin
    ----------------------------------

    *Mar 1 00:00:56.595: %SNMP-5-COLDSTART: SNMP agent on host Router is
    undergoing a cold start
    *Mar 1 00:02:30.907: AAA/BIND(00000002): Bind i/f
    *Mar 1 00:02:30.911: AAA/AUTHEN/LOGIN (00000002): Pick method list
    'shell'
    *Mar 1 00:02:30.918: RADIUS/ENCODE(00000002): ask "Username: "
    *Mar 1 00:02:30.918: RADIUS/ENCODE(00000002): send packet; GET_USER
    *Mar 1 00:02:32.660: RADIUS/ENCODE(00000002): ask "Password: "
    *Mar 1 00:02:32.660: RADIUS/ENCODE(00000002): send packet;
    GET_PASSWORD
    *Mar 1 00:02:36.601: RADIUS: AAA Unsupported [152] 4
    *Mar 1 00:02:36.605: RADIUS: 74 74
    [tt]
    *Mar 1 00:02:36.609: RADIUS(00000002): Storing nasport 1 in rad_db
    *Mar 1 00:02:36.613: RADIUS/ENCODE(00000002): dropping service type,
    "radius-server attribute 6 on-for-login-auth" is off
    *Mar 1 00:02:36.613: RADIUS(00000002): Config NAS IP: 0.0.0.0
    *Mar 1 00:02:36.616: RADIUS/ENCODE(00000002): acct_session_id: 2
    *Mar 1 00:02:36.616: RADIUS(00000002): sending
    *Mar 1 00:02:36.620: RADIUS/ENCODE: Best Local IP-Address 10.0.3.201
    for Radius-Server 10.0.1.117
    *Mar 1 00:02:36.624: RADIUS(00000002): Send Access-Request to
    10.0.1.117:1645 id 1645/1, len 76
    *Mar 1 00:02:36.632: RADIUS: authenticator FD 8D C6 56 A4 E4 47 4B -
    E4 48 EF 33 B3 0F 33 EF
    *Mar 1 00:02:36.632: RADIUS: User-Name [1] 6 "test"
    *Mar 1 00:02:36.636: RADIUS: User-Password [2] 18 *
    *Mar 1 00:02:36.636: RADIUS: NAS-Port [5] 6 1
    *Mar 1 00:02:36.640: RADIUS: NAS-Port-Type [61] 6 Virtual
    [5]
    *Mar 1 00:02:36.640: RADIUS: Calling-Station-Id [31] 14
    "10.0.29.2"
    *Mar 1 00:02:36.644: RADIUS: NAS-IP-Address [4] 6
    10.0.3.201
    *Mar 1 00:02:36.656: RADIUS: Received from id 1645/1 10.0.1.117:1645,
    Access-Accept, len 58
    *Mar 1 00:02:36.660: RADIUS: authenticator 63 52 49 66 20 66 F3 F4 -
    C1 C6 F9 E1 87 B2 AC AA
    *Mar 1 00:02:36.664: RADIUS: Service-Type [6] 6
    Administrative [6]
    *Mar 1 00:02:36.668: RADIUS: Class [25] 8
    *Mar 1 00:02:36.672: RADIUS: 53 48 45 4C 4C 3A
    [SHELL:]
    *Mar 1 00:02:36.672: RADIUS: Vendor, Cisco [26] 24
    *Mar 1 00:02:36.672: RADIUS: Cisco AVpair [1] 18
    "shell:priv-lvl=3"
    *Mar 1 00:02:36.680: RADIUS(00000002): Received from id 1645/1
    *Mar 1 00:02:36.688: AAA/AUTHOR/EXEC(00000002): processing AV
    priv-lvl=3
    *Mar 1 00:02:36.688: AAA/AUTHOR/EXEC(00000002): processing AV
    priv-lvl=15
    *Mar 1 00:02:36.692: AAA/AUTHOR/EXEC(00000002): Authorization
    successful
    Router#
    Miroslav Noversky, Dec 12, 2003
    #1
    1. Advertising

  2. Miroslav Noversky

    freco

    Joined:
    Jan 26, 2010
    Messages:
    1
    Same problem!

    Did you find a solution???????

    Please let me know...

    Thanks, Matthias
    freco, Jan 26, 2010
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. bTq78
    Replies:
    6
    Views:
    16,254
    Victor Cappuccio
    Jun 22, 2004
  2. Thomas Miller

    Privilege level for VPN Access

    Thomas Miller, Jan 30, 2006, in forum: Cisco
    Replies:
    2
    Views:
    1,911
  3. Fred Atkinson

    Restrictied Privilege Level

    Fred Atkinson, Feb 8, 2007, in forum: Cisco
    Replies:
    1
    Views:
    445
  4. Fred Atkinson

    Level 14 Privilege Level

    Fred Atkinson, Feb 22, 2007, in forum: Cisco
    Replies:
    10
    Views:
    1,955
    Trendkill
    Feb 26, 2007
  5. Tilman Schmidt
    Replies:
    0
    Views:
    402
    Tilman Schmidt
    Jul 4, 2007
Loading...

Share This Page