cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
511
Views
5
Helpful
3
Replies

Radius + CW + User Roles

Jason Fraioli
Level 3
Level 3

I have a group in Active Directory that is allowed access to our network infrastructure, including Cisco Works. When I login to Cisco Works with an account that is a member of this AD account, I do not get any administrative permissions in Cisco Works. How to I relate the AD group (authenticated via Radius) to an administrative role in Cisco Works?

Edit: If I go into Common Services -> Security -> AAA Mode Setup, I can setup Radius authentication, which works great, but I cannot figure out how to grant server roles to an authenticated user. This is so frustrating.

1 Accepted Solution

Accepted Solutions

If you login as a user who does not have an account in Radius (e.g. admin), then LMS will fallback to local authentication. The users allowed for fallback (admin is the only user by default) can be configured when you switch the login module.

No, what you are doing is the proper way of doing external authentication.

View solution in original post

3 Replies 3

Joe Clarke
Cisco Employee
Cisco Employee

You need to add a local account to LMS to provide the authorization piece. The login modules only provide authentication. If you want to do full centralized authentication and authorization, you need to integrate LMS with Cisco Security ACS, and due TACACS+ between LMS and ACS.

ok, I created a user account in local user setup that reflects my domain account. I created a bogus password for this account that does not match my domain password.

When I login to LMS, I can see the following,

Authentication Mode RADIUS

Authorization Mode CiscoWorks Local

I have a couple of questions about this.

1.) Why does the RADIUS sometimes read RADIUS (Fallback Mode) and other times, just RADIUS?

2.) Are there any security risks with me authenticating like this?

If you login as a user who does not have an account in Radius (e.g. admin), then LMS will fallback to local authentication. The users allowed for fallback (admin is the only user by default) can be configured when you switch the login module.

No, what you are doing is the proper way of doing external authentication.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: