Anyone configured Windows Radius for switch/router access?

Unanswered Question
Mar 7th, 2012

Hello,

I have successfully configure a Windows 2008 NPS (radius) server to authenticate users when loggin into a test router, I used this link http://aaronwalrath.wordpress.com/2010/06/22/install-windows-2008-r2-nps-for-radius-authentication-for-cisco-router-logins/

Anyway this gives users level 15 priv and they need to access the enable password to edit.  How can I get it so I have 2 groups, admins and read only users, so when the admin logs in they have full rights and if the read only users log in they can only view the config and not make any changes?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
NkiwaneMG Wed, 03/07/2012 - 06:49

The trick is that you have to give the level of access per group. Each group should have their own Connection Request Policy and Network Policy which in the end will determine the access level.

By using the Vendor attribute: Cisco-AV-Pair  shell:priv-lvl=15, you are giving that group level 15 access.

So you have to change yours accordingly:

I have my own blog with this set up on:

http://aplustoccie.blogspot.com/2012/02/how-to-make-nps-your-radius.html

Hope it helps.

Whiteford_2 Wed, 03/07/2012 - 08:01

Hi,

I'm just stuck on the last part of you tutorial:

line vty 0 4

login authentication vty <<<------- Make sure this is the same as in the aaa authentication login

1.)  What should it be?

2.)  How can I set up a policy to give a user just read only permission to the CLI?

Thanks

NkiwaneMG Wed, 03/07/2012 - 08:14

What I meant is tht whatever you put on this line has to be the same as in the parameter you set on this aaa line:

aaa authentication login vty group radius local-case [ this is case sensitive]. if you have VTY then on they should be the same on both lines.

The users' login access is controlled on the NPS.

The Vendor specific attribute controls that part.

shell:priv-lvl=15  gives the Level 15

  • privilege level 1 = non-privileged (prompt is router>), the default level for logging in

  • privilege level 15 = privileged (prompt is router#), the level after going into enable mode

  • privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout

So you choose the one you want.

There are also ways to assigning commands that can be used using the AAA templates and such so let me know what else you need.

Whiteford_2 Wed, 03/07/2012 - 08:37

Thanks,

What is Connection Request Policy used for as I put the IP on my PC in to give it access and it worked, but it also works if I disable it?

Regards

Whiteford_2 Wed, 03/07/2012 - 08:52

So is it possibel to give users in one Windows Active Directoty group priv 15 access and another group say Priv 3 access but we can define the commands they need?


Thanks

Whiteford_2 Wed, 03/07/2012 - 10:12

Thanks, but what I don't understand is where this custom priv access gets configured on your radius instructions.  I can get level 15 working, but for this second group what do I need to do, as I need 2 types of users?

Kind regards

NkiwaneMG Wed, 03/07/2012 - 10:26

You need to specify different policies for the two groups.

If on your AD, you have network admins, and helpdesk, you need to specify them in step 10 on network policy.

You can have the same connection policy for both and then a different network policy for each group. the access level will be determined by the group and the VA specified on shell:priv-lvl=15 [network admins] or shell:priv-lvl=7 [for helpdesk]  attribute on each of the Network policies.

dwebber10 Thu, 08/16/2012 - 10:25

Hope still someone is following this tread.

I have done the conf Mandlenkosi Nkiwane suggested:

but than when i try to authenticate with the user in the group i always get the level15

router1(config)#

*Aug 16 16:57:31.395: AAA/BIND(0000148F): Bind i/f

*Aug 16 16:57:35.199: AAA/AUTHOR/EXEC(0000148F): processing AV priv-lvl=1

*Aug 16 16:57:35.199: AAA/AUTHOR/EXEC(0000148F): processing AV priv-lvl=15

*Aug 16 16:57:35.199: AAA/AUTHOR/EXEC(0000148F): processing AV service-type=6

*Aug 16 16:57:35.199: AAA/AUTHOR/EXEC(0000148F): Authorization successful

*Aug 16 16:57:46.427: AAA/BIND(00001490): Bind i/f

router1(config)#

router1(config)#

Any suggestion?

root_taker Fri, 03/29/2013 - 13:14

Daniele,

When I configure this I always configure authorization on the vty line specifically.  So for instance:

aaa new-model

aaa group server radius RADIUS_SERVERS
 server name RADIUS01

aaa authentication login VTY local group RADIUS_SERVERS
aaa authorization exec VTY local group RADIUS_SERVERS

radius server RADIUS01
 address ipv4 192.168.1.2 auth-port 1645 acct-port 1646
 key 0 radiuskey
 
line vty 0 4
 authorization exec VTY   <-- this seems to get the av-pair info and apply it to the session
login authentication VTY 
transport input ssh

I wrote an article on this and have it posted here if you need more details:

http://technologyordie.com/cisco-privilege-level-access-with-radius-and-nps-server

Actions

Login or Register to take actions

This Discussion

Posted March 7, 2012 at 5:56 AM
Stats:
Replies:11 Avg. Rating:5
Views:4352 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,730
4 7,083
5 6,742
Rank Username Points
155
77
70
69
50