Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help with how to setup authorization!

Hi

I've setup radius authentication on my 3560 switch, what I'd like to do next is setup authorization but I'm struggling to find much on this. In particular I'm actually looking for the process of assigning particular commands to a user, can somone please advise me on this?

So for example I wan user joe to be allowed to go into interface and vlan configuration mode and run some show commands but restrict access to all the others, any thoughts?

Thanks

Dan

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Help with how to setup authorization!

try this config.

aaa new-model

aaa authentication login vtyline group radius local

aaa authentication login con-none none

aaa authorization exec vtyexec group radius local

aaa authorization exec conexec none

aaa authorization commands 1 comm1 group radius local

aaa authorization commands 1 comm-con-none none

aaa authorization commands 10 comm10 group radius local

aaa authorization commands 10 comm-con-none none

aaa authorization commands 15 comm15 group radius local

aaa authorization commands 15 comm-con-none none

!

username user1 privilege 10 password 7 user1

username user2 privilege 15 password 7 user1

!

privilege exec level 10 show run

privilege exec level 15 show!

line con 0

exec-timeout 0 0

authorization commands 1 comm-con-none

authorization commands 10 comm-con-none

authorization commands 15 comm-con-none

authorization exec conexec

login authentication con-none

line aux 0

authorization commands 1 comm-con-none

authorization commands 10 comm-con-none

authorization commands 15 comm-con-none

authorization exec conexec

login authentication con-none

line vty 0 4

authorization commands 1 comm1

authorization commands 10 comm10

authorization commands 15 comm15

authorization exec vtyexec

login authentication vtyline

Re: Help with how to setup authorization!

Dan, it is possible but you need to get the user at the privilege level. You can do this two ways - one is to get the user to type enable and then have different passwords/secrets for different levels:

enable password level 10 cisco

enable password level 15 c1sc0

Alternatively (and this is how I do it) is you can send the enable level as a Cisco AV-Pair from the Radius server so the user is automatically at the required privilege level when they authenticate. I use MS IAS and have multiple Remote-Access policies defined on the servers. I have created security groups in AD - Cisco-Level-10, Cisco-Level-15 etc. I then make the user a member of the relevent group. I check for group membership via IAS and then map the user to the IAS policy. In each of the policies is a Cisco-AV pair to set the privilege level:

For level 15 users:

shell:priv-lvl=15

For level 10 users:

shell:priv-lvl=10

HTH

Andy

4 REPLIES

Re: Help with how to setup authorization!

try this config.

aaa new-model

aaa authentication login vtyline group radius local

aaa authentication login con-none none

aaa authorization exec vtyexec group radius local

aaa authorization exec conexec none

aaa authorization commands 1 comm1 group radius local

aaa authorization commands 1 comm-con-none none

aaa authorization commands 10 comm10 group radius local

aaa authorization commands 10 comm-con-none none

aaa authorization commands 15 comm15 group radius local

aaa authorization commands 15 comm-con-none none

!

username user1 privilege 10 password 7 user1

username user2 privilege 15 password 7 user1

!

privilege exec level 10 show run

privilege exec level 15 show!

line con 0

exec-timeout 0 0

authorization commands 1 comm-con-none

authorization commands 10 comm-con-none

authorization commands 15 comm-con-none

authorization exec conexec

login authentication con-none

line aux 0

authorization commands 1 comm-con-none

authorization commands 10 comm-con-none

authorization commands 15 comm-con-none

authorization exec conexec

login authentication con-none

line vty 0 4

authorization commands 1 comm1

authorization commands 10 comm10

authorization commands 15 comm15

authorization exec vtyexec

login authentication vtyline

New Member

Re: Help with how to setup authorization!

Hi

Thanks for the config.

Just a little question if I have user Joe authenticating via radius how can I link the username i.e Joe to the privilege level? without having to specify a password on the local database? Basically we've got all user details in a single database shared access via radius and active directory?

In your example you;ve listed users locally, how could I link them through radius?

Thanks

Dan

Re: Help with how to setup authorization!

Dan, it is possible but you need to get the user at the privilege level. You can do this two ways - one is to get the user to type enable and then have different passwords/secrets for different levels:

enable password level 10 cisco

enable password level 15 c1sc0

Alternatively (and this is how I do it) is you can send the enable level as a Cisco AV-Pair from the Radius server so the user is automatically at the required privilege level when they authenticate. I use MS IAS and have multiple Remote-Access policies defined on the servers. I have created security groups in AD - Cisco-Level-10, Cisco-Level-15 etc. I then make the user a member of the relevent group. I check for group membership via IAS and then map the user to the IAS policy. In each of the policies is a Cisco-AV pair to set the privilege level:

For level 15 users:

shell:priv-lvl=15

For level 10 users:

shell:priv-lvl=10

HTH

Andy

Re: Help with how to setup authorization!

Andrew has a point out there and i feel he has explained it best.

You can refer to this link on cisco.But it has username and password on router.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml

212
Views
0
Helpful
4
Replies