12-29-2004 09:42 AM - edited 03-10-2019 01:56 PM
Can you configure Radius authorization to access a router or not.
I am confused because the Practical Studies book says "Use the local database for authorization instead of RADIUS because is incapable of understanding CLI":
aaa new-model
aaa authentication login default group radius
aaa authorization default local
Now in the Cisco website, says you can after configuring the following:
Cisco Secure NT RADIUS
Follow these steps to configure the server. http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml
IETF, Service-type (attribute 6) = Nas-Prompt
In the CiscoRADIUS area, check AV-Pair, and in the rectangular box underneath, enter shell:priv-lvl=7.
aaa new-model
aaa authentication login default tacacs+|radius local
aaa authorization exec tacacs+|radius local
username backup privilege xxx password xxxx
radius-server host 171.x.x.x
radius-server key xxxx
privilege configure level 7 snmp-server host
privilege configure level 7 snmp-server enable
privilege configure level 7 snmp-server
privilege exec level 7 ping
privilege exec level 7 configure terminal
privilege exec level 7 configure
12-29-2004 08:55 PM
You cna do certain authorization functions with Radius. Assigning a privilege level to a user is OK, using the "shell:priv-lvl=7" thatyou've described above.
Radius however, does not support command authorization, in that you can't specify on a Radius server what CLI commands a user can and cannot do, which you can on a TACACS server. This is a limitation of the Radius protocol, not CiscoSecure or any other Radius server. Radius combines authentication and authorization, in that all the authorization attributes are returned in the initial authentication acceptance packet.
So you can assign a user to priv-level 7 say, then use the "privilege" commands like you have above locally to limit what they can do. Define "radius" as your authentication and authorization service and you should be fine.
04-10-2013 05:42 PM
04-11-2013 03:53 AM
You can specify the exec privelege level for certain user on specific AAA client using RADIUS.
Based on that certain user can run all the commands that are part of that particular Privelege exec level.
Now if you want to allow certain set of commands from particular privilege exec level you need to use tacacs+ protocol
and enable command authorization sets command on your AAA server.
Check the following links as references on command authorization:
-------------------------------------------------------------------------------------------------
Please make sure to rate correct answers
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: