Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1829
Views
0
Helpful
4
Replies

Which IETF Radius attribute is used for assgning read-only access?

ganeshhiyer
Level 1
Level 1

‎02-05-2009 11:41 PM - edited ‎03-10-2019 04:19 PM

In my network i have different devices and authentication to devices are via ACS with Radius (IETF).

To some users i want to configure a read-only access to these devices which are all sharing radius IETF attribute between ACS.

Thanks & Regards

HG

Labels:
0 Helpful
4 Replies 4

Ivan Martinon
Level 7
Level 7

‎02-06-2009 02:44 PM

Read only, full access and user access are all depending on the privilege level that the user is assigned via the authentication server. This is not as simple as setting a value on radius that the router will understand as defining only read access to some users. You have to play with the privilege-level Vendor Specific Attribute (shell:priv-lvl=#) when you do this what you will do is to put the user into specific mode, user mode 0 or 1, 2-14 (custom) EXEC mode (15) however after doing this you need to give users access to specific commands. What I mean is that if you place the user on level 1, when the user issues the show run or some other command, then the only thing he will be able to do is to see the configuration for the commands or parts of it that are relevant to privilege level 1. My advise is to use instead TACACS and perform command authorization:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_authorizatn_ps6350_TSD_Products_Configuration_Guide_Chapter.html

0 Helpful

ganeshhiyer
Level 1
Level 1
In response to Ivan Martinon

‎02-08-2009 10:36 PM

Thanx for the reply,But what my concern is i am using a non cisco device and authentication of user in these device are done via ACS.

So i need to seggregate user privillage via radius protocol attribute.

Regards

HG

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to ganeshhiyer

‎02-09-2009 08:20 AM

In that case you will need to check with your vendor device what is the value they expect to receive when giving privilege level, on Cisco boxes the privilege level Vendor Specific Attribute is "shell:priv-lvl=#"

0 Helpful

ansalaza
Level 1
Level 1

‎02-16-2009 10:21 AM

Here some related info:

RADIUS Exec Authorization

There is no command to enable RADIUS exec authorization. The alternative is to set the Service-Type (RADIUS attribute 6) to Administrative (a value of 6) in the RADIUS server to launch the user into enable mode in the RADIUS server. If the service-type is set for anything other than 6-administrative, for example, 1-login, 7-shell, or 2-framed, the user arrives at the switch exec prompt, but not the enable prompt.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094ea4.shtml#f

IETF RADIUS Attributes

[006] Service-Type= [1-7]

Same values apply for IOS:

Configuring Authorization

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093c81.shtml#config_auth

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents