01-25-2009 01:22 PM
I have radius authentication configured on my ACEs. I can login just fine but I am assinged to the Network-Monitor Role. Where can I configure the role that radius users are assigned to? Is there a return list attribute?
-Joshua
Solved! Go to Solution.
01-26-2009 06:38 AM
I did it via the CLI.
ACE-Top/Admin(config)# username dude password whooa role ?
Admin
Network-Admin
Network-Monitor
Security-Admin
Server-Appln-Maintenance
Server-Maintenance
SLB-Admin
SSL-Admin
Hope that helps.
01-26-2009 06:38 AM
I did it via the CLI.
ACE-Top/Admin(config)# username dude password whooa role ?
Admin
Network-Admin
Network-Monitor
Security-Admin
Server-Appln-Maintenance
Server-Maintenance
SLB-Admin
SSL-Admin
Hope that helps.
01-26-2009 08:21 AM
Hi,
See the ACE Security Guide - Chapter 2. You need to set a CiscoAVPair. How you do this will depend on the RADIUS software that you are using. You're being put into Network-Monitor by default. Quote from the manual:
"The user profile attribute serves an important configuration function for a RADIUS server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, a default role (Network-Monitor) and a default domain (default-domain) are assigned to the user if the authentication is successful."
HTH
Cathy
01-26-2009 08:48 AM
Setting a return list attribute of 'shell:Admin=Admin default-domain' resolved the issue. Thanks.
01-29-2009 08:48 AM
Where is the command entered?
01-29-2009 08:54 AM
On the RADIUS server itself. How this is done will depend on the RADIUS application. ACS is different to FreeRADIUS is different to Radiator. You'll need to check the documentation for your RADIUS server to see how it handles AV-Pairs.
HTH
Cathy
04-05-2010 01:25 PM
I'm having the same problem using Free-Radius, where exactly on Free-Radius do we have to enter the return list attribute?
John...
04-06-2010 01:53 PM
Team,
After some tinkering, I was able to authenticate to the ACE module with full admin privileges via radius using free-radius. I used the following steps to get this working:
On the linux CLI I entered the following command to modify the users file of free-radius "gedit /etc/raddb/users"
I then added the following to the users file:
admin Auth-Type := Local, User-Password == "password"
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:Admin=Admin default-domain
I saved the file.
I then stopped and started the radiusd service.
/sbin/service radiusd stop
/sbin/service radiusd start
Regards,
John...
01-26-2009 01:42 PM
Arrr! Totally forgot about that. Good one Cathy.
02-17-2009 12:09 AM
Great topic..i found this very helpful.
Just to add on a bit. Depends on your RADIUS implementation, taking freeradius for example, if you use multiple cisco-avpair statement you may want to use * instead of = in your attribute statement to make it optional (similar to the 'optional' keyword you may use for TACACS+ authentication for ACE). Without it, authorisation with other IOS devices may break.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide