cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
807
Views
0
Helpful
4
Replies

Help with how to setup authorization!

dan_track
Level 1
Level 1

Hi

I've setup radius authentication on my 3560 switch, what I'd like to do next is setup authorization but I'm struggling to find much on this. In particular I'm actually looking for the process of assigning particular commands to a user, can somone please advise me on this?

So for example I wan user joe to be allowed to go into interface and vlan configuration mode and run some show commands but restrict access to all the others, any thoughts?

Thanks

Dan

2 Accepted Solutions

Accepted Solutions

Pravin Phadte
Level 5
Level 5

try this config.

aaa new-model

aaa authentication login vtyline group radius local

aaa authentication login con-none none

aaa authorization exec vtyexec group radius local

aaa authorization exec conexec none

aaa authorization commands 1 comm1 group radius local

aaa authorization commands 1 comm-con-none none

aaa authorization commands 10 comm10 group radius local

aaa authorization commands 10 comm-con-none none

aaa authorization commands 15 comm15 group radius local

aaa authorization commands 15 comm-con-none none

!

username user1 privilege 10 password 7 user1

username user2 privilege 15 password 7 user1

!

privilege exec level 10 show run

privilege exec level 15 show!

line con 0

exec-timeout 0 0

authorization commands 1 comm-con-none

authorization commands 10 comm-con-none

authorization commands 15 comm-con-none

authorization exec conexec

login authentication con-none

line aux 0

authorization commands 1 comm-con-none

authorization commands 10 comm-con-none

authorization commands 15 comm-con-none

authorization exec conexec

login authentication con-none

line vty 0 4

authorization commands 1 comm1

authorization commands 10 comm10

authorization commands 15 comm15

authorization exec vtyexec

login authentication vtyline

View solution in original post

Dan, it is possible but you need to get the user at the privilege level. You can do this two ways - one is to get the user to type enable and then have different passwords/secrets for different levels:

enable password level 10 cisco

enable password level 15 c1sc0

Alternatively (and this is how I do it) is you can send the enable level as a Cisco AV-Pair from the Radius server so the user is automatically at the required privilege level when they authenticate. I use MS IAS and have multiple Remote-Access policies defined on the servers. I have created security groups in AD - Cisco-Level-10, Cisco-Level-15 etc. I then make the user a member of the relevent group. I check for group membership via IAS and then map the user to the IAS policy. In each of the policies is a Cisco-AV pair to set the privilege level:

For level 15 users:

shell:priv-lvl=15

For level 10 users:

shell:priv-lvl=10

HTH

Andy

View solution in original post

4 Replies 4

Pravin Phadte
Level 5
Level 5

try this config.

aaa new-model

aaa authentication login vtyline group radius local

aaa authentication login con-none none

aaa authorization exec vtyexec group radius local

aaa authorization exec conexec none

aaa authorization commands 1 comm1 group radius local

aaa authorization commands 1 comm-con-none none

aaa authorization commands 10 comm10 group radius local

aaa authorization commands 10 comm-con-none none

aaa authorization commands 15 comm15 group radius local

aaa authorization commands 15 comm-con-none none

!

username user1 privilege 10 password 7 user1

username user2 privilege 15 password 7 user1

!

privilege exec level 10 show run

privilege exec level 15 show!

line con 0

exec-timeout 0 0

authorization commands 1 comm-con-none

authorization commands 10 comm-con-none

authorization commands 15 comm-con-none

authorization exec conexec

login authentication con-none

line aux 0

authorization commands 1 comm-con-none

authorization commands 10 comm-con-none

authorization commands 15 comm-con-none

authorization exec conexec

login authentication con-none

line vty 0 4

authorization commands 1 comm1

authorization commands 10 comm10

authorization commands 15 comm15

authorization exec vtyexec

login authentication vtyline

Hi

Thanks for the config.

Just a little question if I have user Joe authenticating via radius how can I link the username i.e Joe to the privilege level? without having to specify a password on the local database? Basically we've got all user details in a single database shared access via radius and active directory?

In your example you;ve listed users locally, how could I link them through radius?

Thanks

Dan

Dan, it is possible but you need to get the user at the privilege level. You can do this two ways - one is to get the user to type enable and then have different passwords/secrets for different levels:

enable password level 10 cisco

enable password level 15 c1sc0

Alternatively (and this is how I do it) is you can send the enable level as a Cisco AV-Pair from the Radius server so the user is automatically at the required privilege level when they authenticate. I use MS IAS and have multiple Remote-Access policies defined on the servers. I have created security groups in AD - Cisco-Level-10, Cisco-Level-15 etc. I then make the user a member of the relevent group. I check for group membership via IAS and then map the user to the IAS policy. In each of the policies is a Cisco-AV pair to set the privilege level:

For level 15 users:

shell:priv-lvl=15

For level 10 users:

shell:priv-lvl=10

HTH

Andy

Andrew has a point out there and i feel he has explained it best.

You can refer to this link on cisco.But it has username and password on router.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco