Radius + CW + User Roles

Answered Question
Dec 12th, 2008

I have a group in Active Directory that is allowed access to our network infrastructure, including Cisco Works. When I login to Cisco Works with an account that is a member of this AD account, I do not get any administrative permissions in Cisco Works. How to I relate the AD group (authenticated via Radius) to an administrative role in Cisco Works?

Edit: If I go into Common Services -> Security -> AAA Mode Setup, I can setup Radius authentication, which works great, but I cannot figure out how to grant server roles to an authenticated user. This is so frustrating.

Correct Answer by Joe Clarke about 8 years 2 months ago

If you login as a user who does not have an account in Radius (e.g. admin), then LMS will fallback to local authentication. The users allowed for fallback (admin is the only user by default) can be configured when you switch the login module.

No, what you are doing is the proper way of doing external authentication.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Joe Clarke Fri, 12/12/2008 - 13:51

You need to add a local account to LMS to provide the authorization piece. The login modules only provide authentication. If you want to do full centralized authentication and authorization, you need to integrate LMS with Cisco Security ACS, and due TACACS+ between LMS and ACS.

Jason Fraioli Mon, 12/15/2008 - 06:22

ok, I created a user account in local user setup that reflects my domain account. I created a bogus password for this account that does not match my domain password.

When I login to LMS, I can see the following,

Authentication Mode RADIUS

Authorization Mode CiscoWorks Local

I have a couple of questions about this.

1.) Why does the RADIUS sometimes read RADIUS (Fallback Mode) and other times, just RADIUS?

2.) Are there any security risks with me authenticating like this?

Correct Answer
Joe Clarke Mon, 12/15/2008 - 09:43

If you login as a user who does not have an account in Radius (e.g. admin), then LMS will fallback to local authentication. The users allowed for fallback (admin is the only user by default) can be configured when you switch the login module.

No, what you are doing is the proper way of doing external authentication.

Actions

This Discussion