02-09-2009 01:19 PM - edited 03-06-2019 03:56 AM
Hello. I was wondering if anyone had implemented a radius server that would allow for logins to switches and routers to be able to control what level of access a user had. An example might be that if the main network guy wanted full access, he could log in and authenticate through a radius server (something like IAS) and get the level of permissions he needs to administer the switch. And the JR network guy comes along and does the same, but with a smaller set of abilities. Can this be done with radius authentication integrated with AD?
02-09-2009 01:27 PM
You need TACACS+
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
Router Management
RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
HTH,
__
Edison.
Please rate helpful posts
02-09-2009 01:54 PM
As Edison says for command authorisation you need TACACS+. However......
I have implemented what I think is a good workaround using MS IAS. What I have is multiple IAS polcies for terminal access, each one representing a privilege level, in the advanced settings for each policy I push down a Cisco AV pair that sets the privilege level (shell:priv-lvl=15). In AD I have the equivalent Security Groups configured and I make users members of the relevant group. I.e. someone who requires full access to the switches and routers has Level-15 access and matches the Level-15 IAS policy. Someone who can only login and get level-0 privilege matches the Level-0 policy and gets the AV pair shell:priv-lvl=0.
You also need to configure your IOS devices to change the privilege level of certain commands, however once you have a template it is pretty easy to apply this to all your IOS devices.
As I said this isn't a replacement for TACACS+ as that allows each command to be authorised, but I think it's a neat workaround. Plus if you use IAS as the Radius Server it's included in the OS.
HTH
Andy
02-10-2009 06:39 AM
Ive never used a Tacacs server before. Is there a free version available?
Also, I like the IAS solution andrew, as Im a little more familiar with it. Is there any way you could provide more detail on that?
02-10-2009 07:50 AM
With regards to IAS this is what I have done, however you can make it more or less complex as I only have three privilege levels:
I have created three Global Security Groups in AD - each representing an IOS privilege level - Level-0, Level-1 and Level-15.
I then make the user a member of the appropriate group.
In IAS I then have three separate policies, each representing the Privilege Level (I actually have more but the policy conditions are different - i.e. VPN, dot1x etc).
For admission to each IAS policy I match against 'Windows-Group matches=xxxx' where 'xxxx' represents the AD Global Security group. 'NAS-Port-Type matches=Async (modem) or Virtual (VPN)' & 'Authentication Type matches=PAP'
In the advanced Tab for each policy I have the two RADIUS Standard attributes 'Reply-Message' and 'Service-Type' selected, plus the Cisco-AV-Pair. The Service-Type is set to 'NAS Prompt' and the Reply-Message is set to 'Level X login successful, access time recorded' - this is just text though and is displayed after a user sucessfully logs in and can be anything you wish. The Cisco-AV-Pair is set to 'shell:priv-lvl=X' where 'X' is the privilege level.
On each of the IOS devices I have the configuration:
aaa new-model
!
!
aaa group server radius IAS-Servers
server 10.1.1.1 auth-port 1812 acct-port 1813
server 10.2.2.2 auth-port 1812 acct-port 1813
ip radius source-interface Loopback0
!
aaa authentication login default group IAS-Servers local
aaa authentication enable default group IAS-Servers enable
aaa authorization console
aaa authorization exec default group IAS-Servers if-authenticated
!
radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key xxxxxxxxxxxx
radius-server host 10.2.2.2 auth-port 1812 acct-port 1813 key xxxxxxxxxxxx
!
There are additional commands on some IOS devices for different access (VPN, 802.1x & WEBVPN), however this is the basics and you should be able to work out how to get the other stuff working quite easily.
Additionally I have added some commands to change the privilege level of certain commands using the global configuration command:
privilege
HTH
Andy
02-10-2009 11:13 AM
Thanks Andrew. Thank you very much.
02-19-2009 01:02 PM
Andy ,
I have something like you have in the IAS set-up , but I cant get the accounting to work properly. It displays usernaem/workstation , but does not want to log the commands issued on the device.
Any advice?
Thanks,
Vlad
02-21-2009 04:25 AM
I don't think this is possible with Radius. I just tried adding the command 'aaa accounting commands 15 default start-stop group Radius-Servers' and I get an error telling me the server-group 'Radius-Servers' is not a tacacs+ server group:
091058: Feb 21 12:23:14: %AAAA-4-SERVNOTACPLUS: The server-group "Radius-Servers" is not a tacacs+ server group. Please define "Radius-Servers" as a tacacs+ server group.
This was on a Catalyst 3550 running the latest IOS.
Andy
03-08-2009 11:42 AM
I can't seem to get my wireless AP1230 to work. All my AP hostname start with "caap" so I have
Remote Access Policy:
Client-Friendly-Name matches "caap*"
Windows-Group is tied to my AD security group
Service-Type is set to Radius Login
Cisco-AV-Pair is set to shell:priv-lvl=15
and "Grant Remote Access permission" is checked
On the AP, I have
aaa authentication login SECURE group radius local enable
aaa authorization exec SECURE group radius local
radius-server host
radius-server host
line vty 0 15
authorization exec SECURE
login authentication SECURE
This works for my routers/switches but not for the AP. Any ideas why AP are different?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide