ssh radius auth without VSA

Post Reply
tibz
Member
Posts: 1
Joined: 08 Sep 2017 11:16

ssh radius auth without VSA

Post by tibz » 08 Sep 2017 11:23

Hello,
I'm trying to have radius auth for administrators working without having to return the VSA.
I've read on this page https://wiki.freeradius.org/vendor/alcatel-lucent that we can return these attributes for full admin:
Xylan-Asa-Access = "all",
Xylan-Acce-Priv-F-W1 = 0xFFFFFFFF,
Xylan-Acce-Priv-F-W2 = 0xFFFFFFFF

This is fine, when I do this, it works.

My problem is that I need to have the auth working WITHOUT having to send these attributes.

Reading this documentation (http://enterprise.alcatel-lucent.com/as ... /os_sw.pdf) there is a user called "default" which I understand can be used for this. The document says on page 247 (9-9): The privilege default is particularly important for users who are authenticated via an ACE/Server, which only supplies username and password information; or for users who are authenticated via a RADIUS or LDAP server on which privileges are not configured.

So i've changed the settings of that "default" users to give him full rw access, but it refuse to work. My radius send a "request-accepted" but the switch does not let me in because the attributes are not present...

Any idea what is wrong? Or is just the documentation wrong? (or misunderstood by me :-))

Thank you

User avatar
cavagnaro
Alcatel Unleashed Certified Guru
Alcatel Unleashed Certified Guru
Posts: 6775
Joined: 14 Sep 2005 19:45
Location: Brasil, Porto Alegre
Contact:

Re: ssh radius auth without VSA

Post by cavagnaro » 09 Sep 2017 14:33

Don't double post

Enviado de meu E6633 usando Tapatalk

Ignorance is not the problem, the problem is the one who doesn't want to learn

OTUC/ICS ACFE/ACSE R3.0/4.0/5.0/6.0
Certified Genesys CIV 8.5
Certified Genesys Troubleshooting 8.5
Certified Genesys BEP 8.x
Genesys Developer

silvio
Alcatel Unleashed Certified Guru
Alcatel Unleashed Certified Guru
Posts: 996
Joined: 01 Jul 2008 10:51
Location: Germany

Re: ssh radius auth without VSA

Post by silvio » 15 Nov 2017 12:03

you can try the command:
aaa authentication default NPS local (where NPS is your configured aaa radius server).
I never tested it. I always use the vendor specific option.
regards
Silvio

Post Reply

Return to “OmniSwitch 6350”