11-06-2002 05:56 AM - edited 02-20-2020 09:19 PM
Could anyone give me a link to a full resource of CISCO protocol entries in RADIUS A/V pairs.
I know that shell: and ip: are such protocol entries but I would like to have a full description of all protocol entries.
any help would be greatly appreciated
11-06-2002 07:35 AM
You should be able to find your answer here:
11-06-2002 07:45 AM
Thanks,
I've read tham but the answer is not there
11-06-2002 08:01 AM
11-06-2002 08:10 AM
Also take a look at these RFCs 2865-2869
11-06-2002 11:10 PM
thank You very much...Ifound the answer there..but I have another question:
Could I make my NAS to ask the RADIUS server for authorization of every command performed by a user
11-06-2002 11:52 PM
I have the following configuration:hostname Reserve
!
logging rate-limit console 10 except errors
aaa new-model
aaa authentication login default group radius local
aaa authorization config-commands
aaa authorization exec default group radius none
aaa authorization commands 7 default group radius none
aaa authorization network default group radius
enable secret level 7 5 $1$Okb9$1B.pYCB3ccTOJXj9bchrD/
enable secret level 10 5 $1$WSXo$7OA2v/caiqJX.3CMijtcB0
enable secret 5 $1$nDrE$/CuSB04WniloBQ3h6a77J0
enable password 7 14141B180F0B
!
username cisco password 7 0822455D0A16
ip subnet-zero
!
!
no ip finger
no ip domain-lookup
!
!
!
!
interface FastEthernet0/0
ip address 172.16.3.15 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
ip classless
no ip http server
!
radius-server host 172.16.3.69 auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key 7 104D000A0618
privilege configure level 7 terminal
privilege configure level 7 conf t
privilege exec level 7 configure
privilege exec level 7 configure terminal
!
line con 0
transport input none
line aux 0
line vty 0 4
exec-timeout 0 0
!
no scheduler allocate
end
One of my users is authorized by the radius server at priv-lvl=7, but when this user tries to run the command:conf t the following messages are logged:
tty67 AAA/AUTHOR/CMD (3442162769): Port='tty67' list='' service=CMD
1d23h: AAA/AUTHOR/CMD: tty67 (3442162769) user='lora1'
1d23h: tty67 AAA/AUTHOR/CMD (3442162769): send AV service=shell
1d23h: tty67 AAA/AUTHOR/CMD (3442162769): send AV cmd=configure
1d23h: tty67 AAA/AUTHOR/CMD (3442162769): send AV cmd-arg=terminal
1d23h: tty67 AAA/AUTHOR/CMD (3442162769): send AV cmd-arg=
1d23h: tty67 AAA/AUTHOR/CMD (3442162769): found list "default"
1d23h: tty67 AAA/AUTHOR/CMD (3442162769): Method=radius (radius)
1d23h: RADIUS: Command authorization not supported
1d23h: RADIUS: result does not match status after CMD
1d23h: AAA/AUTHOR (3442162769): Post authorization status = FAIL
Any help would be greatly appreciated
11-07-2002 07:12 AM
conf t is a priv-lvl 15 command by default.
You can change this in the IOS by using:
privilege exec level 7 configure terminal
I don't recommend doing this though unless you have a few groups with different levels of access.
If this is the case, enforce authorization for priv-lvl 15 commands and assign it to the user profile.
Another thing you should consider is creating a local user with priv-lvl 15 in case your connection to the AAA Server goes down, so add local after radius:
aaa authentication login default group radius local
aaa authorization config-commands
aaa authorization exec default group radius local
aaa authorization commands 15 default group radius local
username admin privilege 15 password
11-07-2002 07:56 AM
Tnahk You very much for answering ..all I want is to authorize my commands, but it seems that RADIUS protocol does not support per-command authorization. So, I installed TACACS+ server.
I am not going to rate Your answer, because I've already got one like this
11-07-2002 08:01 AM
Good catch, it doesn't because RADIUS uses on access request packet which authentication and authorization are part of the same request.
You can use it for exec, not command authorization.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide