NME-CUE 8.6.1 AAA Setup

lyle.cameron · ‎07-02-2012

Trying to figure out the config to allow us to log into our NME-CUE module's using a RADIUS authentication server for all user user accounts and attributes.

I have got it set up and working in that I can authenticate a RADIUS/local user to the system, inheriting the local user attributes (specifically the Administrators group) for user Authorization, but what I want to be able to do is hold Authentication AND Authorization data only on the RADIUS server, i.e. No requirement to have ANY local users configured on the system for Administration (save a fallback account for emergencies when the RADIUS sever is unavailable).

I can't seem to find in any documentation anywhere what RADIUS user attributes etc can, or have to be passed to the CUE instance which will provide Authorization for RADIUS uers. The has to be a User Group Attribute or something that RADIUS reply's to the CUE with that provides user Authorization information.

Our RADIUS server is an ACS 5.3

Thanks in Advance

lyle.cameron · ‎07-12-2012

For anyone interested, contacted the TAC and they gave me a solution.

Get the RADIUS server to send through a Cisco-av-pair attribute with the value “fndn:groups=Administrators”.

Also allows you to create groups on the CUE and assign users to whatever group you want, i.e. create a group with privileges to manage users, call it "groupManageUsers" and assign users to the group with the cisco-av-pair AV "fndn:groups=groupManageUsers". Users assigned to that group can only manager user account, but don't have full admin access to the system

Problem solved