From owner-freebsd-questions Thu Feb 13 16:01:04 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id QAA19839 for questions-outgoing; Thu, 13 Feb 1997 16:01:04 -0800 (PST) Received: from vic.cioe.com (ns1.cioe.com [204.120.165.37]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA19645; Thu, 13 Feb 1997 15:58:00 -0800 (PST) Received: (from root@localhost) by vic.cioe.com (8.7.5/8.7.3) id SAA19011; Thu, 13 Feb 1997 18:57:34 -0500 (EST) Date: Thu, 13 Feb 1997 18:57:34 -0500 (EST) From: Steve Ames Message-Id: <199702132357.SAA19011@vic.cioe.com> To: freebsd-questions@freebsd.org Subject: radius and cisco Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I've been beating my head against a wall this entire day (going on 10 hours). Can _anyone_, please, tell me what I'm doing wrong here. I've got a cisco 2511 running Cisco IOS 11.1.9. I've got it configured to run radius. Compile radius straight out of the ports directory. Modified the clients and users files and ran radiusd. So far so good. Telnetted over to the 2511 and got %Access Denied. *sigh* Added tons of debugging information to the authentication.c and funcs.c files and ran it it again. Near as I can track down the encryption used by the radius port and the cisco 2511 are different... or their keys are. My router configuration looks basically like this: radius-server host 204.120.165.37 radius-server key testing aaa authentication login default radius local My clients file has only one line: 204.120.165.39 testing My users file looks thustly (basically just used the sample): ----CUT HERE--- fred Password = "flint" Filter-Id = "unlim" steve Authentication-Type = Unix-PW Filter-Id = "unlim" DEFAULT Authentication-Type = Unix-PW Filter-Id = "unlim" # These "canonical" user entries are searched for after matching a user # from one of the above user entries (including the DEFAULT entry), but # only if that first entry did not specify a "Service-Type" attribute. # The server does this by matching the "hint" supplied by the client in # the "Service-Type" attribute found in the request. # # This feature allows the same user id to be used for either PPP, SLIP, # dumb-terminal or other access. Note: the "Authentication-Type = None" # check item on each of the following entries prevents it from ever being # treated as a normal user id. # # The server checks for eight "Service-Type" values (Login, <>, # Callback-Login, Callback-Framed, Outbound-User, Administrative-User, # Exec-User and Authenticate-Only) and equates them with the "dumbuser", # <<"pppuser", "slipuser",>> "cblogin", "cbframed", "obuser", "admin", # "execuser" and "authonly" entries. The first three users are shown: dumbuser Authentication-Type = None Service-Type = Login, Login-Service = Telnet, Login-IP-Host = 255.255.255.255 pppuser Authentication-Type = None Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP slipuser Authentication-Type = None Service-Type = Framed, Framed-Protocol = SLIP, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP ----ENDS---- Anyone got any ideas? (need help badly) -Steve