exec authorization with radius..

Unanswered Question
Sep 4th, 2007
User Badges:

Hi guys, i was configuring auth-proxy . i had a



m/c---(inside)router(outside)---internet


now i want that a normal user is not able to get the telnet access of my router, only certain users can have the telnet access fromt the inside. i dont want to use NAR. i want to do this only with radius authorization.


i was looking for controlling the access of the users to the router with the help of radius,


aaa authorization exec default group tacacs+


when i use the above command i knw that i can control the shell access by checking shell box,but when i use the below command


aaa authorization exec default group radius


i was not able to find any particular radius av-pair which can control the exec shell access in respect to the above one.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
rochopra Wed, 09/05/2007 - 00:38
User Badges:
  • Cisco Employee,

Following is the av-pair for privilege level 15


shell:priv-lvl=15


In Addition also select attribute 6

Service-type = login


~Rohit

diptanshusingh Wed, 09/05/2007 - 00:57
User Badges:

Hi rohit, i am looking to deny a specific user from getting the exec shell of my router with radius authorization.. the above attributes will assign a user a priv level 15...

rochopra Thu, 09/06/2007 - 18:00
User Badges:
  • Cisco Employee,

So do not assign any privilege level to the user , or assign privilege level 0.


~Rohit

Premdeep Banga Sat, 09/08/2007 - 08:54
User Badges:
  • Gold, 750 points or more

Hi,


Make use of this,


shell:priv-lvl=15

shell:autocmd=exit


So what will happen with this is, as soon as user tries to log into shell, BOOM!, user will exit out.


NOTE: I have not tried this exactly, but should work, you might be required to use separator, ";" i.e.,


shell:priv-lvl=15;

shell:autocmd=exit


Regards,

Prem

Actions

This Discussion