09-30-2002 02:18 PM - edited 02-21-2020 10:04 AM
I am attempting to set up my 6506 to use RADIUS authentication using my Windows 2000 accounts database. What I would like to do is make it so my Windows 2000 account (we'll call it "superuser" here) has level 15 access to the switch, with a local account called switchadmin as a backup, also with level 15 access. I would like all other accounts to have limited access. For example, give them access to the show start and show ip route commands.
So far, I have the following related commands configured.
aaa new-model
aaa group server radius TEST
server 172.16.255.31 auth-port 1812 acct-port 1813
aaa authentication login default local
username switchadmin password <password>
username superuser privilege 15
I know these commands are a sort of hodge podge of almost complete configurations for both local and RADIUS configs, but I'm having trouble figuring out where to go from here.
I'm having trouble understanding the aaa authorization methods and how they work. For example, what is the difference between command and exec?
Can you help me complete this configuration to allow RADIUS authentication as my default? Thanks in advance.
09-30-2002 10:16 PM
The authorization exec is used to check the user attributes such as privilege level etc. Authoriztion commands is used when you need to authorize each command the user enters.
In your case you would need to use both.
The following links should help you with the configuration:
http://www.cisco.com/warp/public/480/8.shtml
As for the configuration on the server side, since you are using external user database, you would need two groups on the W2K database and map them to two separate groups with different privileges on ACS.
Hope this helps,
-Nairi
10-01-2002 05:34 AM
Well, that didn't have the desired effect. Now I can't do anything but get to the enable prompt. Any suggestions?
10-01-2002 04:27 PM
Command authorization can only be done using TACACS.
In your case since you are using Radius, you can only restrict access for commands using the privilege levels locally on the router. For example you can assign priv 7 to a user and on the router locally move certain command to level 7. Hence level 7 users will only have access to specific commands. For more information:
http://www.cisco.com/warp/customer/480/PRIV.html
-Nairi
10-02-2002 04:48 AM
Nairi,
Thanks for the info. I guess that would explain why every example I found for command authorizations used TACACS, eh?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide