I have radius authentication configured on my ACEs. I can login just fine but I am assinged to the Network-Monitor Role. Where can I configure the role that radius users are assigned to? Is there a return list attribute?
Solved! Go to Solution.
See the ACE Security Guide - Chapter 2. You need to set a CiscoAVPair. How you do this will depend on the RADIUS software that you are using. You're being put into Network-Monitor by default. Quote from the manual:
"The user profile attribute serves an important configuration function for a RADIUS server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, a default role (Network-Monitor) and a default domain (default-domain) are assigned to the user if the authentication is successful."
On the RADIUS server itself. How this is done will depend on the RADIUS application. ACS is different to FreeRADIUS is different to Radiator. You'll need to check the documentation for your RADIUS server to see how it handles AV-Pairs.
After some tinkering, I was able to authenticate to the ACE module with full admin privileges via radius using free-radius. I used the following steps to get this working:
On the linux CLI I entered the following command to modify the users file of free-radius "gedit /etc/raddb/users"
I then added the following to the users file:
admin Auth-Type := Local, User-Password == "password"
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:Admin=Admin default-domain
I saved the file.
I then stopped and started the radiusd service.
/sbin/service radiusd stop
/sbin/service radiusd start
Great topic..i found this very helpful.
Just to add on a bit. Depends on your RADIUS implementation, taking freeradius for example, if you use multiple cisco-avpair statement you may want to use * instead of = in your attribute statement to make it optional (similar to the 'optional' keyword you may use for TACACS+ authentication for ACE). Without it, authorisation with other IOS devices may break.