Help with how to setup authorization!

Answered Question
May 12th, 2008
User Badges:

Hi


I've setup radius authentication on my 3560 switch, what I'd like to do next is setup authorization but I'm struggling to find much on this. In particular I'm actually looking for the process of assigning particular commands to a user, can somone please advise me on this?


So for example I wan user joe to be allowed to go into interface and vlan configuration mode and run some show commands but restrict access to all the others, any thoughts?


Thanks

Dan

Correct Answer by andrew.butterworth about 9 years 2 weeks ago

Dan, it is possible but you need to get the user at the privilege level. You can do this two ways - one is to get the user to type enable and then have different passwords/secrets for different levels:


enable password level 10 cisco

enable password level 15 c1sc0


Alternatively (and this is how I do it) is you can send the enable level as a Cisco AV-Pair from the Radius server so the user is automatically at the required privilege level when they authenticate. I use MS IAS and have multiple Remote-Access policies defined on the servers. I have created security groups in AD - Cisco-Level-10, Cisco-Level-15 etc. I then make the user a member of the relevent group. I check for group membership via IAS and then map the user to the IAS policy. In each of the policies is a Cisco-AV pair to set the privilege level:

For level 15 users:

shell:priv-lvl=15


For level 10 users:

shell:priv-lvl=10


HTH


Andy

Correct Answer by Pravin Phadte about 9 years 2 weeks ago

try this config.



aaa new-model

aaa authentication login vtyline group radius local

aaa authentication login con-none none

aaa authorization exec vtyexec group radius local

aaa authorization exec conexec none

aaa authorization commands 1 comm1 group radius local

aaa authorization commands 1 comm-con-none none

aaa authorization commands 10 comm10 group radius local

aaa authorization commands 10 comm-con-none none

aaa authorization commands 15 comm15 group radius local

aaa authorization commands 15 comm-con-none none

!

username user1 privilege 10 password 7 user1

username user2 privilege 15 password 7 user1

!

privilege exec level 10 show run

privilege exec level 15 show!

line con 0

exec-timeout 0 0

authorization commands 1 comm-con-none

authorization commands 10 comm-con-none

authorization commands 15 comm-con-none

authorization exec conexec

login authentication con-none

line aux 0

authorization commands 1 comm-con-none

authorization commands 10 comm-con-none

authorization commands 15 comm-con-none

authorization exec conexec

login authentication con-none

line vty 0 4

authorization commands 1 comm1

authorization commands 10 comm10

authorization commands 15 comm15

authorization exec vtyexec

login authentication vtyline

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Pravin Phadte Mon, 05/12/2008 - 09:07
User Badges:
  • Silver, 250 points or more

try this config.



aaa new-model

aaa authentication login vtyline group radius local

aaa authentication login con-none none

aaa authorization exec vtyexec group radius local

aaa authorization exec conexec none

aaa authorization commands 1 comm1 group radius local

aaa authorization commands 1 comm-con-none none

aaa authorization commands 10 comm10 group radius local

aaa authorization commands 10 comm-con-none none

aaa authorization commands 15 comm15 group radius local

aaa authorization commands 15 comm-con-none none

!

username user1 privilege 10 password 7 user1

username user2 privilege 15 password 7 user1

!

privilege exec level 10 show run

privilege exec level 15 show!

line con 0

exec-timeout 0 0

authorization commands 1 comm-con-none

authorization commands 10 comm-con-none

authorization commands 15 comm-con-none

authorization exec conexec

login authentication con-none

line aux 0

authorization commands 1 comm-con-none

authorization commands 10 comm-con-none

authorization commands 15 comm-con-none

authorization exec conexec

login authentication con-none

line vty 0 4

authorization commands 1 comm1

authorization commands 10 comm10

authorization commands 15 comm15

authorization exec vtyexec

login authentication vtyline

dan_track Tue, 05/13/2008 - 01:08
User Badges:

Hi


Thanks for the config.


Just a little question if I have user Joe authenticating via radius how can I link the username i.e Joe to the privilege level? without having to specify a password on the local database? Basically we've got all user details in a single database shared access via radius and active directory?


In your example you;ve listed users locally, how could I link them through radius?


Thanks

Dan

Correct Answer
andrew.butterworth Tue, 05/13/2008 - 02:43
User Badges:
  • Gold, 750 points or more

Dan, it is possible but you need to get the user at the privilege level. You can do this two ways - one is to get the user to type enable and then have different passwords/secrets for different levels:


enable password level 10 cisco

enable password level 15 c1sc0


Alternatively (and this is how I do it) is you can send the enable level as a Cisco AV-Pair from the Radius server so the user is automatically at the required privilege level when they authenticate. I use MS IAS and have multiple Remote-Access policies defined on the servers. I have created security groups in AD - Cisco-Level-10, Cisco-Level-15 etc. I then make the user a member of the relevent group. I check for group membership via IAS and then map the user to the IAS policy. In each of the policies is a Cisco-AV pair to set the privilege level:

For level 15 users:

shell:priv-lvl=15


For level 10 users:

shell:priv-lvl=10


HTH


Andy

Actions

This Discussion