08-02-2008 03:41 AM
Hi,
I have an ACE module running virtual contexts. I have configured the ACE contexts to authenticate against a RADIUS server (Windows IAS).
When I log in, I am always given the role of 'network-monitoring'. I would like to configure the RADIUS server so it authenticates users as 'Admin'.
Attached is a screeprint of the RADIUS clients set up on IAS (client names and IP addresses removed). The question here is if they should be configured as 'RADIUS Standard' or 'Cisco' in the 'Client-Vendor' field.
Also attached is a screenshot of the IAS 'Remote Access Policy' that i have set up for the network devices (these include the ACE contexts aswell as Switches and FWSM contexts). The question here is whether I need both the 'Vendor-Specific' and 'Cisco-AV-Pair' attributes. Also, how do I need to configure these attributes so they will authenticate the Switches, Routers and FWSM contexts (allowing enable level 15) and authenticate the ACE contexts (allowing the 'Admin' role).
I have also attached the RADIUS config lines that have been configured on the ACE contexts (IP address of server removed).
I would appreciate any input.
Solved! Go to Solution.
08-05-2008 07:55 AM
Hi Khalid,
the magic line is.
aaa authentication enable default group radius-grp enable
If you find a way to transport the "enable flag" via RADIUS you could do that. We decided that an authenticated user should go directly into enable mode.
Therefore you should/could configure following.
aaa authentication login default group radius-grp local <- stays the same
aaa authentication enable default none <- changed from your configuration
That results in not being asked for the enable password.
With TACACS+ you could configure something like you did as the ACS is able to pass the "enable flag".
For RADIUS as i mentioned you could probably also send a "shell:" command but i haven't had any pressure to investigate into that so far.
If your problem is solved just flag the Thread as solved and Rate if possible.
Hope it helps
Roble
08-04-2008 07:36 AM
Hi Khalid,
have a look at my screenshots for an example on how to get IAS with ACE and other Cisco Devices working.
Cisco Devices get the Client Vendor Cisco in my IAS Config, my Linux Devices get RADIUS Standard.
On the ACE you configure following.
radius-server host [ip.ad.dr.es] key 0 [your-key] auth-port 1645 acct-port 1646 authentication accounting
aaa group server radius RADIUS_VTY
server [ip.ad.dr.es]
aaa authentication login default group RADIUS_VTY local
--
Regarding Vendor-Specific attribute for IAS Config or "Cisco-AV-Pair", i used the Vendor-Specific approach.
Vendor-Specific
Attribute Number: 26
Attribute Format: Octet String
Attribute Vendor: Cisco
Attribute Value: shell:Admin=Admin default-domain
Thats how my config works flawlessly for over 2 years now.
Hope it Helps
Roble
08-04-2008 07:50 AM
Hi Roble,
I really appreciate your response. I have a feeling it'll work once I have modified my configuration to be on the same line as yours.
I will update you on the results (fingers crossed) once I have made the changes and tested them tomorrow.
Kind regards,
Khalid
08-05-2008 05:52 AM
Hi Roble,
I have been able to get Admin level role but it seems it only works with the Admin context and non of the others. Is this normal?
Kind regards,
Khalid
08-05-2008 06:45 AM
Hi Kahlid,
the reason is the attribute value mentioned before. I configure all my contexts starting from the admin context so that is no problem for me. What you probably need to do is add additional statments.
Following Link explains it pretty well.
There you can see a pattern example:
shell:
With the previous example in mind you should end up with following.
shell:Admin=Admin default-domain <- Admin Context
shell:Foo=Admin default-domain <- Context Foo
shell:Bar=Admin default-domain <- Context Bar
etc. etc.
Hope it helps.
Roble
08-05-2008 07:38 AM
Hi Roble,
That makes sense. I will configure the other contexts aswell.
By the way, I noticed you have some 6513s using the RADIUS server with the same settings. I also have some 6513s and 6509s. I have configured them as follows:-
aaa new-model
aaa group server radius radius-grp
server
!
aaa authentication attempts login 5
aaa authentication fail-message ^CCCFailed login. Five consecutive fails will revoke.^C
aaa authentication login default group radius-grp local
aaa authentication enable default group radius-grp enable
!
aaa session-id common
!
radius-server host
radius-server source-ports 1645-1646
!
line con 0
password 7
logging synchronous
line vty 0 4
exec-timeout 30 0
password 7
transport input telnet ssh
line vty 5 15
exec-timeout 30 0
password 7
transport input telnet ssh
!
For some strange reason, when I log in, I can authenticate against the RADIUS server on IAS. When I try to go into enable mode, I am prompted for the password but the authentication fails. When I check the IAS server logs, I see the initial login request is coming into the IAS server with my username, however the enable request is coming into the IAS server with the user $enable15$.
Do you know why this is the case? How do I configure the switches to insert the username in the enable authentication request?
I have attached a screenshot of my current IAS attributes.
I would really appreciate any input you may have on this second issue.
08-05-2008 07:55 AM
Hi Khalid,
the magic line is.
aaa authentication enable default group radius-grp enable
If you find a way to transport the "enable flag" via RADIUS you could do that. We decided that an authenticated user should go directly into enable mode.
Therefore you should/could configure following.
aaa authentication login default group radius-grp local <- stays the same
aaa authentication enable default none <- changed from your configuration
That results in not being asked for the enable password.
With TACACS+ you could configure something like you did as the ACS is able to pass the "enable flag".
For RADIUS as i mentioned you could probably also send a "shell:" command but i haven't had any pressure to investigate into that so far.
If your problem is solved just flag the Thread as solved and Rate if possible.
Hope it helps
Roble
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: