Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CISCO Protocol entries in RADIUS A/V pairs

Could anyone give me a link to a full resource of CISCO protocol entries in RADIUS A/V pairs.

I know that shell: and ip: are such protocol entries but I would like to have a full description of all protocol entries.

any help would be greatly appreciated

9 REPLIES
New Member

Re: CISCO Protocol entries in RADIUS A/V pairs

New Member

Re: CISCO Protocol entries in RADIUS A/V pairs

Thanks,

I've read tham but the answer is not there

New Member

Re: CISCO Protocol entries in RADIUS A/V pairs

New Member

Re: CISCO Protocol entries in RADIUS A/V pairs

Also take a look at these RFCs 2865-2869

New Member

Re: CISCO Protocol entries in RADIUS A/V pairs

thank You very much...Ifound the answer there..but I have another question:

Could I make my NAS to ask the RADIUS server for authorization of every command performed by a user

New Member

Re: CISCO Protocol entries in RADIUS A/V pairs

I have the following configuration:hostname Reserve

!

logging rate-limit console 10 except errors

aaa new-model

aaa authentication login default group radius local

aaa authorization config-commands

aaa authorization exec default group radius none

aaa authorization commands 7 default group radius none

aaa authorization network default group radius

enable secret level 7 5 $1$Okb9$1B.pYCB3ccTOJXj9bchrD/

enable secret level 10 5 $1$WSXo$7OA2v/caiqJX.3CMijtcB0

enable secret 5 $1$nDrE$/CuSB04WniloBQ3h6a77J0

enable password 7 14141B180F0B

!

username cisco password 7 0822455D0A16

ip subnet-zero

!

!

no ip finger

no ip domain-lookup

!

!

!

!

interface FastEthernet0/0

ip address 172.16.3.15 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

no ip address

shutdown

!

ip classless

no ip http server

!

radius-server host 172.16.3.69 auth-port 1812 acct-port 1813

radius-server retransmit 3

radius-server key 7 104D000A0618

privilege configure level 7 terminal

privilege configure level 7 conf t

privilege exec level 7 configure

privilege exec level 7 configure terminal

!

line con 0

transport input none

line aux 0

line vty 0 4

exec-timeout 0 0

!

no scheduler allocate

end

One of my users is authorized by the radius server at priv-lvl=7, but when this user tries to run the command:conf t the following messages are logged:

tty67 AAA/AUTHOR/CMD (3442162769): Port='tty67' list='' service=CMD

1d23h: AAA/AUTHOR/CMD: tty67 (3442162769) user='lora1'

1d23h: tty67 AAA/AUTHOR/CMD (3442162769): send AV service=shell

1d23h: tty67 AAA/AUTHOR/CMD (3442162769): send AV cmd=configure

1d23h: tty67 AAA/AUTHOR/CMD (3442162769): send AV cmd-arg=terminal

1d23h: tty67 AAA/AUTHOR/CMD (3442162769): send AV cmd-arg=

1d23h: tty67 AAA/AUTHOR/CMD (3442162769): found list "default"

1d23h: tty67 AAA/AUTHOR/CMD (3442162769): Method=radius (radius)

1d23h: RADIUS: Command authorization not supported

1d23h: RADIUS: result does not match status after CMD

1d23h: AAA/AUTHOR (3442162769): Post authorization status = FAIL

Any help would be greatly appreciated

New Member

Re: CISCO Protocol entries in RADIUS A/V pairs

conf t is a priv-lvl 15 command by default.

You can change this in the IOS by using:

privilege exec level 7 configure terminal

I don't recommend doing this though unless you have a few groups with different levels of access.

If this is the case, enforce authorization for priv-lvl 15 commands and assign it to the user profile.

Another thing you should consider is creating a local user with priv-lvl 15 in case your connection to the AAA Server goes down, so add local after radius:

aaa authentication login default group radius local

aaa authorization config-commands

aaa authorization exec default group radius local

aaa authorization commands 15 default group radius local

username admin privilege 15 password

New Member

Re: CISCO Protocol entries in RADIUS A/V pairs

Tnahk You very much for answering ..all I want is to authorize my commands, but it seems that RADIUS protocol does not support per-command authorization. So, I installed TACACS+ server.

I am not going to rate Your answer, because I've already got one like this

New Member

Re: CISCO Protocol entries in RADIUS A/V pairs

Good catch, it doesn't because RADIUS uses on access request packet which authentication and authorization are part of the same request.

You can use it for exec, not command authorization.

229
Views
5
Helpful
9
Replies
CreatePlease to create content