cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3045
Views
15
Helpful
9
Replies

ACE Radius Authentication

jrbeining
Level 1
Level 1

I have radius authentication configured on my ACEs. I can login just fine but I am assinged to the Network-Monitor Role. Where can I configure the role that radius users are assigned to? Is there a return list attribute?

-Joshua

1 Accepted Solution

Accepted Solutions

Collin Clark
VIP Alumni
VIP Alumni

I did it via the CLI.

ACE-Top/Admin(config)# username dude password whooa role ?

Admin

Network-Admin

Network-Monitor

Security-Admin

Server-Appln-Maintenance

Server-Maintenance

SLB-Admin

SSL-Admin

Hope that helps.

View solution in original post

9 Replies 9

Collin Clark
VIP Alumni
VIP Alumni

I did it via the CLI.

ACE-Top/Admin(config)# username dude password whooa role ?

Admin

Network-Admin

Network-Monitor

Security-Admin

Server-Appln-Maintenance

Server-Maintenance

SLB-Admin

SSL-Admin

Hope that helps.

ciscocsoc
Level 4
Level 4

Hi,

See the ACE Security Guide - Chapter 2. You need to set a CiscoAVPair. How you do this will depend on the RADIUS software that you are using. You're being put into Network-Monitor by default. Quote from the manual:

"The user profile attribute serves an important configuration function for a RADIUS server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, a default role (Network-Monitor) and a default domain (default-domain) are assigned to the user if the authentication is successful."

HTH

Cathy

Setting a return list attribute of 'shell:Admin=Admin default-domain' resolved the issue. Thanks.

Where is the command entered?

On the RADIUS server itself. How this is done will depend on the RADIUS application. ACS is different to FreeRADIUS is different to Radiator. You'll need to check the documentation for your RADIUS server to see how it handles AV-Pairs.

HTH

Cathy

I'm having the same problem using Free-Radius, where exactly on Free-Radius do we have to enter the return list attribute?

John...

Team,

After some tinkering, I was able to authenticate to the ACE module with full admin privileges via radius using free-radius. I used the following steps to get this working:

On the linux CLI I entered the following command to modify the users file of free-radius "gedit /etc/raddb/users"

I then added the following to the users file:

admin          Auth-Type := Local, User-Password == "password"

                     Service-Type = NAS-Prompt-User,

                     cisco-avpair = "shell:Admin=Admin default-domain

I saved the file.

I then stopped and started the radiusd service.

/sbin/service radiusd stop

/sbin/service radiusd start

Regards,

John...

Arrr! Totally forgot about that. Good one Cathy.

glenn.ong
Level 1
Level 1

Great topic..i found this very helpful.

Just to add on a bit. Depends on your RADIUS implementation, taking freeradius for example, if you use multiple cisco-avpair statement you may want to use * instead of = in your attribute statement to make it optional (similar to the 'optional' keyword you may use for TACACS+ authentication for ACE). Without it, authorisation with other IOS devices may break.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: