Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
642
Views
0
Helpful
0
Replies

Privilege levels , RADIUS and if-authenticated!

davebaker87
Level 1
Level 1

‎06-11-2018 05:43 AM - edited ‎02-21-2020 10:58 AM

Hi,

 

I was hoping to get some clarity on why my config behaves the way it does. I am configuring a priv level 7 for our support team to log into switches and clear port-security errors, shut/no shut ports . I want the authentication to use RADIUS.

 

On our RSA server (RADIUS) we have a RADIUS profile configured and applied to our switch, this pass the shell:priv-lvl=7 command to the switch , and the members of this radius profile are our support team.

 

Switch config is:

 

aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated

enable secret 5 $1$8kQg$COXCBjgVf3eX1UXwsHfYu/

 

privilege interface level 7 no shutdown
privilege interface level 7 shutdown
privilege interface level 7 do show
privilege interface level 7 switchport access vlan
privilege configure level 7 int gigabitethernet
privilege configure level 7 interface gigabitethernet
privilege configure level 7 interface
privilege exec level 7 configure
privilege exec level 7 show log
privilege exec level 7 show int status
privilege exec level 7 show int status err-disabled
privilege exec level 7 clear port-security sticky interface
privilege exec level 7 clear port-security sticky address
privilege exec level 7 conf t
privilege exec level 7 clear port-security sticky interface gigabitethernet

 

Here's how it behaves:

1. Anyone logs in, the RADIUS auth works and they are given priv level 7 (this applies to members and non-members of the RADIUS profile...).

2. We then have to enable 15 and enter the enable secret to reach admin (level 15).

 

This is good (because in essence, we want everyone to have lower priv levels and only admins to reach 15). But it's only by accident I realised that this is how it was working (at first, I was stumped because the switch was always at priv level 15 unless I applied the radius profile, and then I couldn't get out of level 7, I accidently typed 'enable' and it worked!). I am CCNA level (never touched priv/radius before) so my question is:

 

 a) Why does the switch need the enable password to get the priv 15? Where is this set..?

b) For Authorization, is if-authenticated the correct failsafe to use? My understanding of this command is that if the user can authenticate via radius, but authorization fails for some reason then they will be given exec level access to the switch because they authenticated? 

c) Does anyone have any best practice/other suggestions on how to implement priv levels? Ideally I'd like to remove the option to access Interface Port-channel and limit the interface configure to gigabitethernet interfaces only, but can't seem to do this.

 

Thanks in advance,

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents