Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACE Radius Authentication

I have radius authentication configured on my ACEs. I can login just fine but I am assinged to the Network-Monitor Role. Where can I configure the role that radius users are assigned to? Is there a return list attribute?

-Joshua

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACE Radius Authentication

I did it via the CLI.

ACE-Top/Admin(config)# username dude password whooa role ?

Admin

Network-Admin

Network-Monitor

Security-Admin

Server-Appln-Maintenance

Server-Maintenance

SLB-Admin

SSL-Admin

Hope that helps.

9 REPLIES

Re: ACE Radius Authentication

I did it via the CLI.

ACE-Top/Admin(config)# username dude password whooa role ?

Admin

Network-Admin

Network-Monitor

Security-Admin

Server-Appln-Maintenance

Server-Maintenance

SLB-Admin

SSL-Admin

Hope that helps.

Silver

Re: ACE Radius Authentication

Hi,

See the ACE Security Guide - Chapter 2. You need to set a CiscoAVPair. How you do this will depend on the RADIUS software that you are using. You're being put into Network-Monitor by default. Quote from the manual:

"The user profile attribute serves an important configuration function for a RADIUS server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, a default role (Network-Monitor) and a default domain (default-domain) are assigned to the user if the authentication is successful."

HTH

Cathy

New Member

Re: ACE Radius Authentication

Setting a return list attribute of 'shell:Admin=Admin default-domain' resolved the issue. Thanks.

New Member

Re: ACE Radius Authentication

Where is the command entered?

Silver

Re: ACE Radius Authentication

On the RADIUS server itself. How this is done will depend on the RADIUS application. ACS is different to FreeRADIUS is different to Radiator. You'll need to check the documentation for your RADIUS server to see how it handles AV-Pairs.

HTH

Cathy

New Member

Re: ACE Radius Authentication

I'm having the same problem using Free-Radius, where exactly on Free-Radius do we have to enter the return list attribute?

John...

New Member

Re: ACE Radius Authentication

Team,

After some tinkering, I was able to authenticate to the ACE module with full admin privileges via radius using free-radius. I used the following steps to get this working:

On the linux CLI I entered the following command to modify the users file of free-radius "gedit /etc/raddb/users"

I then added the following to the users file:

admin          Auth-Type := Local, User-Password == "password"

                     Service-Type = NAS-Prompt-User,

                     cisco-avpair = "shell:Admin=Admin default-domain

I saved the file.

I then stopped and started the radiusd service.

/sbin/service radiusd stop

/sbin/service radiusd start

Regards,

John...

Re: ACE Radius Authentication

Arrr! Totally forgot about that. Good one Cathy.

New Member

Re: ACE Radius Authentication

Great topic..i found this very helpful.

Just to add on a bit. Depends on your RADIUS implementation, taking freeradius for example, if you use multiple cisco-avpair statement you may want to use * instead of = in your attribute statement to make it optional (similar to the 'optional' keyword you may use for TACACS+ authentication for ACE). Without it, authorisation with other IOS devices may break.

2145
Views
15
Helpful
9
Replies
CreatePlease to create content