Multiple shell AVPair entries

Unanswered Question
Jan 27th, 2009
User Badges:

Is it possible to have muplitple Radius shell: AVPair entries for a single user/profile? I want to be able to use 'shell:priv-lvl=15' to manage our switches and 'shell:Admin=Admin default-domain' to manage our ACE's. What I am finding is that when I configure both I cannot get into our switches. Also is there a document that explains how cisco devices process the radius attributes? Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
darpotter Tue, 01/27/2009 - 12:56
User Badges:
  • Silver, 250 points or more

From an ACS and purely RADIUS perspective - yes this fine.


As to what the switch does - anyone's guess as this stuff is rarely documented. I've trawled CCO many times to find which cisco-av-pairs exist let alone which devices support them.


If you can get some low level AAA debug off the switch you might find what its doing with the av-pairs.


Good luck!

jrbeining Wed, 01/28/2009 - 10:29
User Badges:

The switches were complaining about an unknown mandatory AV:


Jan 28 10:12:57.633 PST: AAA/AUTHOR/EXEC: received unknown mandatory AV: Admin=Admin default-domain


In order to resolve this I defined the AV as optional with a '*' instead of an '=':


shell:Admin*Admin default-domain


Thanks.


-Joshua

Actions

This Discussion