Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

logins via radius

Hello. I was wondering if anyone had implemented a radius server that would allow for logins to switches and routers to be able to control what level of access a user had. An example might be that if the main network guy wanted full access, he could log in and authenticate through a radius server (something like IAS) and get the level of permissions he needs to administer the switch. And the JR network guy comes along and does the same, but with a smaller set of abilities. Can this be done with radius authentication integrated with AD?

8 REPLIES
Hall of Fame Super Bronze

Re: logins via radius

You need TACACS+

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml

Router Management

RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.

HTH,

__

Edison.

Please rate helpful posts

Re: logins via radius

As Edison says for command authorisation you need TACACS+. However......

I have implemented what I think is a good workaround using MS IAS. What I have is multiple IAS polcies for terminal access, each one representing a privilege level, in the advanced settings for each policy I push down a Cisco AV pair that sets the privilege level (shell:priv-lvl=15). In AD I have the equivalent Security Groups configured and I make users members of the relevant group. I.e. someone who requires full access to the switches and routers has Level-15 access and matches the Level-15 IAS policy. Someone who can only login and get level-0 privilege matches the Level-0 policy and gets the AV pair shell:priv-lvl=0.

You also need to configure your IOS devices to change the privilege level of certain commands, however once you have a template it is pretty easy to apply this to all your IOS devices.

As I said this isn't a replacement for TACACS+ as that allows each command to be authorised, but I think it's a neat workaround. Plus if you use IAS as the Radius Server it's included in the OS.

HTH

Andy

New Member

Re: logins via radius

Ive never used a Tacacs server before. Is there a free version available?

Also, I like the IAS solution andrew, as Im a little more familiar with it. Is there any way you could provide more detail on that?

Re: logins via radius

With regards to IAS this is what I have done, however you can make it more or less complex as I only have three privilege levels:

I have created three Global Security Groups in AD - each representing an IOS privilege level - Level-0, Level-1 and Level-15.

I then make the user a member of the appropriate group.

In IAS I then have three separate policies, each representing the Privilege Level (I actually have more but the policy conditions are different - i.e. VPN, dot1x etc).

For admission to each IAS policy I match against 'Windows-Group matches=xxxx' where 'xxxx' represents the AD Global Security group. 'NAS-Port-Type matches=Async (modem) or Virtual (VPN)' & 'Authentication Type matches=PAP'

In the advanced Tab for each policy I have the two RADIUS Standard attributes 'Reply-Message' and 'Service-Type' selected, plus the Cisco-AV-Pair. The Service-Type is set to 'NAS Prompt' and the Reply-Message is set to 'Level X login successful, access time recorded' - this is just text though and is displayed after a user sucessfully logs in and can be anything you wish. The Cisco-AV-Pair is set to 'shell:priv-lvl=X' where 'X' is the privilege level.

On each of the IOS devices I have the configuration:

aaa new-model

!

!

aaa group server radius IAS-Servers

server 10.1.1.1 auth-port 1812 acct-port 1813

server 10.2.2.2 auth-port 1812 acct-port 1813

ip radius source-interface Loopback0

!

aaa authentication login default group IAS-Servers local

aaa authentication enable default group IAS-Servers enable

aaa authorization console

aaa authorization exec default group IAS-Servers if-authenticated

!

radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key xxxxxxxxxxxx

radius-server host 10.2.2.2 auth-port 1812 acct-port 1813 key xxxxxxxxxxxx

!

There are additional commands on some IOS devices for different access (VPN, 802.1x & WEBVPN), however this is the basics and you should be able to work out how to get the other stuff working quite easily.

Additionally I have added some commands to change the privilege level of certain commands using the global configuration command:

privilege level X

HTH

Andy

New Member

Re: logins via radius

Thanks Andrew. Thank you very much.

New Member

Re: logins via radius

Andy ,

I have something like you have in the IAS set-up , but I cant get the accounting to work properly. It displays usernaem/workstation , but does not want to log the commands issued on the device.

Any advice?

Thanks,

Vlad

Re: logins via radius

I don't think this is possible with Radius. I just tried adding the command 'aaa accounting commands 15 default start-stop group Radius-Servers' and I get an error telling me the server-group 'Radius-Servers' is not a tacacs+ server group:

091058: Feb 21 12:23:14: %AAAA-4-SERVNOTACPLUS: The server-group "Radius-Servers" is not a tacacs+ server group. Please define "Radius-Servers" as a tacacs+ server group.

This was on a Catalyst 3550 running the latest IOS.

Andy

Bronze

Re: logins via radius

I can't seem to get my wireless AP1230 to work. All my AP hostname start with "caap" so I have

Remote Access Policy:

Client-Friendly-Name matches "caap*"

Windows-Group is tied to my AD security group

Service-Type is set to Radius Login

Cisco-AV-Pair is set to shell:priv-lvl=15

and "Grant Remote Access permission" is checked

On the AP, I have

aaa authentication login SECURE group radius local enable

aaa authorization exec SECURE group radius local

radius-server host auth-port 1812 acct-port 1813 key xxxxx

radius-server host auth-port 1812 acct-port 1813 key xxxxx

line vty 0 15

authorization exec SECURE

login authentication SECURE

This works for my routers/switches but not for the AP. Any ideas why AP are different?

674
Views
22
Helpful
8
Replies