Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12440
Views
5
Helpful
5
Replies

Cisco-AVPair multiple attributes in a string

gdelpanta
Level 1
Level 1

‎12-28-2013 06:18 AM - edited ‎03-10-2019 09:13 PM

Hi,

I'm deploing auth-proxy services on my ISR 1861. I'm using a Cloudessa public RADIUS Service.

It works fine. I'have only one problem. It seems that in group policies i can define only one string attribute Cisco-AVPair string.

I try to explain better .. I can choice all RFC and Vendor well known attributes ... i can select multiple  types attribute (Session-Timeout, Service-Type, and so on ...) and i can insert the desired value for each of these attributes ... attributes are correctely sent to Router (debug radius). If i insert Cisco-AVPair attribute i can insert a string with attribute in single line ... for example auth-proxy:priv-lvl=15 (mandatory) ... but i can't add another  Cisco-AVPair attribute string to add ACL ...

for example

auth-proxy:proxyacl#1=deny ip any 62.149.128.40

auth-proxy:proxyacl#2=permit ip any any

so the question is ...

Is there a way to insert in a single  Cisco-AVPair attribute string for example:

auth-proxy:priv-lvl=15

auth-proxy:proxyacl#1=deny ip any 62.149.128.40

auth-proxy:proxyacl#2=permit ip any any

in order to instruct the router to use it ?

I'v tried using <R> or \r ... comma  and space with and without double quotes

auth-proxy:priv-lvl=15<R>auth-proxy:proxyacl#1=deny ip any 62.149.128.40

"auth-proxy:priv-lvl=15" <R>a "uth-proxy:proxyacl#1=deny ip any 62.149.128.40"

auth-proxy:priv-lvl=15,auth-proxy:proxyacl#1=deny ip any 62.149.128.40

"auth-proxy:priv-lvl=15";auth-proxy:proxyacl#1=deny ip any 62.149.128.40"

... and so on

but nothing it seems to works fine.

I've opened a tocket to Cloudessa and i'm awaitng for a response ...

someone can help me ?

is it possibile define multiple attributes in ona string ?

Thank you very much

Labels:
0 Helpful
5 Replies 5

Tarik Admani
VIP Alumni
VIP Alumni

‎12-30-2013 10:25 PM

Hi,

It looks as if the radius dictionary for the cisco-av-pair should support multiple attributes, there is even an example on how to acheive this in the guide (a little dated ACS 4.0).

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/ad.html#wp168530

In most of my designs for auth-proxy I have had to enter each cisco-av-pair with each proxy-acl#1...statement so it seems to me as if there maybe a bug in your radius solution not allowing as many cisco-av-pair in your authorization profile.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

adolcabr
Cisco Employee
Cisco Employee
In response to Tarik Admani

‎11-18-2014 04:52 PM

Reply attribute should use a += operator for additional avpairs:

 

admin           Cleartext-Password := 1234QWer
                Service-Type = Administrative-User,
                Cisco-AVPair = "shell:roles=network-admin",
                Cisco-AVPair += "shell:priv-lvl=15"

ops             Cleartext-Password := 1234QWer
                Service-Type = NAS-Prompt-User,
                Cisco-AVPair = "shell:roles=network-operator",
                Cisco-AVPair += "shell:priv-lvl=1"

tom             Auth-Type := System
                Service-Type = Administrative-User,
                Cisco-AVPair = "shell:roles=network-admin",
                Cisco-AVPair += "shell:priv-lvl=15"

 

From http://www.layerzero.nl/blog/2013/05/using-freeradius-with-cisco-devices/

 

gdelpanta
Level 1
Level 1

‎12-30-2013 11:29 PM

Hi,

Thank you ...

You are right ... it's a for sure a Radius limitation. I've already wirtten to Cloudessa support ... i written to Cisco Support Forum too wishing for a workaround or a way to insert multiple AV row in a single entry.

If multiple AV Pair in a single strin entry and Caloudessa doesn't fix i'm stucked ...

Cloudessa is the only free Radius as Service found in Internet ...

thank you again.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to gdelpanta

‎12-30-2013 11:39 PM

If you have a tacacs solution you can move this integration over to there. However you will need to doublecheck all attributes and profiles to make sure the same users isnt gaining full access to any other device if TACACS is used as your centralized administration authority.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Branimir Turk
Level 1
Level 1
In response to gdelpanta

‎02-09-2016 04:58 AM

Hi,

Did you manage to send multiple  AV pairs from cloudessa to cisco eqipement?

I am facing the same issue with proxy acl.

Regards,

Branimir Turk

0 Helpful
Customers Also Viewed These Support Documents