Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1873
Views
5
Helpful
4
Replies

RADIUS authentication with Windows 2000 server

edmonds_robert
Level 1
Level 1

‎09-30-2002 02:18 PM - edited ‎02-21-2020 10:04 AM

I am attempting to set up my 6506 to use RADIUS authentication using my Windows 2000 accounts database. What I would like to do is make it so my Windows 2000 account (we'll call it "superuser" here) has level 15 access to the switch, with a local account called switchadmin as a backup, also with level 15 access. I would like all other accounts to have limited access. For example, give them access to the show start and show ip route commands.

So far, I have the following related commands configured.

aaa new-model

aaa group server radius TEST

server 172.16.255.31 auth-port 1812 acct-port 1813

aaa authentication login default local

username switchadmin password <password>

username superuser privilege 15

I know these commands are a sort of hodge podge of almost complete configurations for both local and RADIUS configs, but I'm having trouble figuring out where to go from here.

I'm having trouble understanding the aaa authorization methods and how they work. For example, what is the difference between command and exec?

Can you help me complete this configuration to allow RADIUS authentication as my default? Thanks in advance.

Labels:
0 Helpful
4 Replies 4

Nairi Adamian
Cisco Employee
Cisco Employee

‎09-30-2002 10:16 PM

The authorization exec is used to check the user attributes such as privilege level etc. Authoriztion commands is used when you need to authorize each command the user enters.

In your case you would need to use both.

The following links should help you with the configuration:

http://www.cisco.com/warp/public/480/8.shtml

As for the configuration on the server side, since you are using external user database, you would need two groups on the W2K database and map them to two separate groups with different privileges on ACS.

Hope this helps,

-Nairi

0 Helpful

edmonds_robert
Level 1
Level 1
In response to Nairi Adamian

‎10-01-2002 05:34 AM

Well, that didn't have the desired effect. Now I can't do anything but get to the enable prompt. Any suggestions?

0 Helpful

Nairi Adamian
Cisco Employee
Cisco Employee
In response to edmonds_robert

‎10-01-2002 04:27 PM

Command authorization can only be done using TACACS.

In your case since you are using Radius, you can only restrict access for commands using the privilege levels locally on the router. For example you can assign priv 7 to a user and on the router locally move certain command to level 7. Hence level 7 users will only have access to specific commands. For more information:

http://www.cisco.com/warp/customer/480/PRIV.html

-Nairi

edmonds_robert
Level 1
Level 1
In response to Nairi Adamian

‎10-02-2002 04:48 AM

Nairi,

Thanks for the info. I guess that would explain why every example I found for command authorizations used TACACS, eh?

0 Helpful
Customers Also Viewed These Support Documents