Which IETF Radius attribute is used for assgning read-only access?

Unanswered Question
Feb 5th, 2009

In my network i have different devices and authentication to devices are via ACS with Radius (IETF).

To some users i want to configure a read-only access to these devices which are all sharing radius IETF attribute between ACS.

Thanks & Regards


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Fri, 02/06/2009 - 14:44

Read only, full access and user access are all depending on the privilege level that the user is assigned via the authentication server. This is not as simple as setting a value on radius that the router will understand as defining only read access to some users. You have to play with the privilege-level Vendor Specific Attribute (shell:priv-lvl=#) when you do this what you will do is to put the user into specific mode, user mode 0 or 1, 2-14 (custom) EXEC mode (15) however after doing this you need to give users access to specific commands. What I mean is that if you place the user on level 1, when the user issues the show run or some other command, then the only thing he will be able to do is to see the configuration for the commands or parts of it that are relevant to privilege level 1. My advise is to use instead TACACS and perform command authorization:


ganeshhiyer Sun, 02/08/2009 - 22:36

Thanx for the reply,But what my concern is i am using a non cisco device and authentication of user in these device are done via ACS.

So i need to seggregate user privillage via radius protocol attribute.



Ivan Martinon Mon, 02/09/2009 - 08:20

In that case you will need to check with your vendor device what is the value they expect to receive when giving privilege level, on Cisco boxes the privilege level Vendor Specific Attribute is "shell:priv-lvl=#"

ansalaza Mon, 02/16/2009 - 10:21

Here some related info:

RADIUS Exec Authorization

There is no command to enable RADIUS exec authorization. The alternative is to set the Service-Type (RADIUS attribute 6) to Administrative (a value of 6) in the RADIUS server to launch the user into enable mode in the RADIUS server. If the service-type is set for anything other than 6-administrative, for example, 1-login, 7-shell, or 2-framed, the user arrives at the switch exec prompt, but not the enable prompt.


IETF RADIUS Attributes

[006] Service-Type= [1-7]

Same values apply for IOS:

Configuring Authorization



This Discussion