Hello. I was wondering if anyone had implemented a radius server that would allow for logins to switches and routers to be able to control what level of access a user had. An example might be that if the main network guy wanted full access, he could log in and authenticate through a radius server (something like IAS) and get the level of permissions he needs to administer the switch. And the JR network guy comes along and does the same, but with a smaller set of abilities. Can this be done with radius authentication integrated with AD?
You need TACACS+
RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
Please rate helpful posts
As Edison says for command authorisation you need TACACS+. However......
I have implemented what I think is a good workaround using MS IAS. What I have is multiple IAS polcies for terminal access, each one representing a privilege level, in the advanced settings for each policy I push down a Cisco AV pair that sets the privilege level (shell:priv-lvl=15). In AD I have the equivalent Security Groups configured and I make users members of the relevant group. I.e. someone who requires full access to the switches and routers has Level-15 access and matches the Level-15 IAS policy. Someone who can only login and get level-0 privilege matches the Level-0 policy and gets the AV pair shell:priv-lvl=0.
You also need to configure your IOS devices to change the privilege level of certain commands, however once you have a template it is pretty easy to apply this to all your IOS devices.
As I said this isn't a replacement for TACACS+ as that allows each command to be authorised, but I think it's a neat workaround. Plus if you use IAS as the Radius Server it's included in the OS.
Ive never used a Tacacs server before. Is there a free version available?
Also, I like the IAS solution andrew, as Im a little more familiar with it. Is there any way you could provide more detail on that?
With regards to IAS this is what I have done, however you can make it more or less complex as I only have three privilege levels:
I have created three Global Security Groups in AD - each representing an IOS privilege level - Level-0, Level-1 and Level-15.
I then make the user a member of the appropriate group.
In IAS I then have three separate policies, each representing the Privilege Level (I actually have more but the policy conditions are different - i.e. VPN, dot1x etc).
For admission to each IAS policy I match against 'Windows-Group matches=xxxx' where 'xxxx' represents the AD Global Security group. 'NAS-Port-Type matches=Async (modem) or Virtual (VPN)' & 'Authentication Type matches=PAP'
In the advanced Tab for each policy I have the two RADIUS Standard attributes 'Reply-Message' and 'Service-Type' selected, plus the Cisco-AV-Pair. The Service-Type is set to 'NAS Prompt' and the Reply-Message is set to 'Level X login successful, access time recorded' - this is just text though and is displayed after a user sucessfully logs in and can be anything you wish. The Cisco-AV-Pair is set to 'shell:priv-lvl=X' where 'X' is the privilege level.
On each of the IOS devices I have the configuration:
aaa group server radius IAS-Servers
server 10.1.1.1 auth-port 1812 acct-port 1813
server 10.2.2.2 auth-port 1812 acct-port 1813
ip radius source-interface Loopback0
aaa authentication login default group IAS-Servers local
aaa authentication enable default group IAS-Servers enable
aaa authorization console
aaa authorization exec default group IAS-Servers if-authenticated
radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key xxxxxxxxxxxx
radius-server host 10.2.2.2 auth-port 1812 acct-port 1813 key xxxxxxxxxxxx
There are additional commands on some IOS devices for different access (VPN, 802.1x & WEBVPN), however this is the basics and you should be able to work out how to get the other stuff working quite easily.
Additionally I have added some commands to change the privilege level of certain commands using the global configuration command:
I have something like you have in the IAS set-up , but I cant get the accounting to work properly. It displays usernaem/workstation , but does not want to log the commands issued on the device.
I don't think this is possible with Radius. I just tried adding the command 'aaa accounting commands 15 default start-stop group Radius-Servers' and I get an error telling me the server-group 'Radius-Servers' is not a tacacs+ server group:
091058: Feb 21 12:23:14: %AAAA-4-SERVNOTACPLUS: The server-group "Radius-Servers" is not a tacacs+ server group. Please define "Radius-Servers" as a tacacs+ server group.
This was on a Catalyst 3550 running the latest IOS.
I can't seem to get my wireless AP1230 to work. All my AP hostname start with "caap" so I have
Remote Access Policy:
Client-Friendly-Name matches "caap*"
Windows-Group is tied to my AD security group
Service-Type is set to Radius Login
Cisco-AV-Pair is set to shell:priv-lvl=15
and "Grant Remote Access permission" is checked
On the AP, I have
aaa authentication login SECURE group radius local enable
aaa authorization exec SECURE group radius local
line vty 0 15
authorization exec SECURE
login authentication SECURE
This works for my routers/switches but not for the AP. Any ideas why AP are different?