RADIUS authentication with local access at the same time

Beermania · ‎03-31-2015

Hi Everyone,

Is there anyway i can configure RADIUS and local account authentication to work at the same time?

Here is the scenario.

Currently, access to all our cisco device is tied up using AD account via RADIUS with the fall back being the local authentication. It works perfectly fine. However, i have a requirement wherein i have specific users that will need to access the devices to run specific command. Ive been reading several thread saying to use privilege level 8 and specify the command that the user is only allowed to run .

!

username john privilege 8 password 0 john

privilege exec level 8 debug ip ospf adj

!

but what about if the user needs to run more than one command? And how its going to work since the AAA authentication method will require to lookup to RADIUS first and only if the RADIUS is not reachable it will allow to authenticate using the local login.

Here is some of the current config i have.

!
aaa authentication login default group radius local
aaa authorization console
aaa authorization exec default group radius local if-authenticated
aaa authorization network default group radius local if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
!
aaa session-id common

!
username Jose privilege 15 password 7 022789034567244
username john privilege 8 password 0 john

line con 0
exec-timeout 0 0
logging synchronous

line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous

line vty 0 4

exec-timeout 30 0
privilege level 15
transport input telnet ssh

line vty 5 15
exec-timeout 30 0
privilege level 15
transport input telnet ssh

Looking forward to your response guys.

David Johan Castro Fernandez · ‎03-31-2015

Hi,

On this case a recommendation, would be to use the AAA authentication with Radius and the authorization list with Local database --> ASA.

Usually a best practice to manage Devices with certain commands is using TACACS+ that will create authorization for specific level of access and commands to be used.

Another simple workaround, will be to set up, a range of Line VTY to use local authentication and local authorization, though depending on the lines you assigned you will need to wait till the pertinent lines get occupied and then used the other ones. The other lines will use radius Authentication and authorization.

For example:

Local Database

aaa authentication login LOCAL_AUTHEN local
aaa authorization exec LOCAL_AUTHO local

line vty 0 4
authorization exec LOCAL_AUTHO
login authentication LOCAL_AUTHEN

Radius Database:

aaa authentication login RADIUS group radius
aaa authorization exec RADIUS_AUTHOR group radius

line vty 5 15
authorization exec RADIUS_AUTHOR
login authentication RADIUS

Please proceed to rate and mark as correct this Post!

David Castro,

Regards,

Beermania · ‎04-01-2015

Thank you all for your response.

I have checked the user is already in RADIUS with level 8 access, now how do i allow them to run specific command? Thanks

Beermania · ‎04-02-2015

Hi All,

Just an update. I got it working now.

Configure the user privilege level on RADIUS server first. for example level 2.

Then add the specific command on the cisco device using this format.

privilege exec level 2 debug ip ospf adj - will allow the user with privilege level 2 access to run the ip ospf debug

privilege exec level 2 undebug ip ospf adj - will allow the user with privilege level 2 access to run undebug ip ospf ad

Just follow the same format specific command that you want the user to have access.

Karsten Iwen · ‎03-31-2015

I'm not sure what you really want to achieve but perhaps there are some ways to achieve your goal ...

1) You can configure your router to first consult the local user-accounts and only if the user is not found, to ask the radius:

aaa authentication login LOC_RADIUS local group radius

With that, the local users need to have different usernames then the Radius-users.

2) When allowing multiple commands to different users, using role-based access-control (RBAC) is much easier then using the old privilege-levels.