Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
855
Views
5
Helpful
3
Replies

Radius Authorization question

mariocabrejo
Level 1
Level 1

‎12-29-2004 09:42 AM - edited ‎03-10-2019 01:56 PM

Can you configure Radius authorization to access a router or not.

I am confused because the Practical Studies book says "Use the local database for authorization instead of RADIUS because is incapable of understanding CLI":

aaa new-model

aaa authentication login default group radius

aaa authorization default local

Now in the Cisco website, says you can after configuring the following:

Cisco Secure NT RADIUS

Follow these steps to configure the server. http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml

IETF, Service-type (attribute 6) = Nas-Prompt

In the CiscoRADIUS area, check AV-Pair, and in the rectangular box underneath, enter shell:priv-lvl=7.

aaa new-model

aaa authentication login default tacacs+|radius local

aaa authorization exec tacacs+|radius local

username backup privilege xxx password xxxx

radius-server host 171.x.x.x

radius-server key xxxx

privilege configure level 7 snmp-server host

privilege configure level 7 snmp-server enable

privilege configure level 7 snmp-server

privilege exec level 7 ping

privilege exec level 7 configure terminal

privilege exec level 7 configure

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎12-29-2004 08:55 PM

You cna do certain authorization functions with Radius. Assigning a privilege level to a user is OK, using the "shell:priv-lvl=7" thatyou've described above.

Radius however, does not support command authorization, in that you can't specify on a Radius server what CLI commands a user can and cannot do, which you can on a TACACS server. This is a limitation of the Radius protocol, not CiscoSecure or any other Radius server. Radius combines authentication and authorization, in that all the authorization attributes are returned in the initial authentication acceptance packet.

So you can assign a user to priv-level 7 say, then use the "privilege" commands like you have above locally to limit what they can do. Define "radius" as your authentication and authorization service and you should be fine.

0 Helpful

maldehne
Cisco Employee
Cisco Employee

‎04-11-2013 03:53 AM

You can specify the exec privelege level for certain user on specific AAA client using RADIUS.

Based on that certain user can run all the commands that are part of that particular Privelege exec level.

Now if you want to allow certain set of commands from particular privilege exec level you need to use tacacs+ protocol

and enable command authorization sets command on your AAA server.

Check the following links as references on command authorization:

http://www.cisco.com/en/US/partner/products/ps9911/products_configuration_example09186a0080bc8514.shtml

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

-------------------------------------------------------------------------------------------------

Please make sure to rate correct answers

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents