04-28-2003 03:18 PM - edited 02-21-2020 10:06 AM
Hello all.
My co-worker and I are trying to get AAA working the way we want it to work with RADIUS ( which may not be possible). The following is the config we have on a 3548 XL switch:
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius
aaa accounting commands 15 default start-stop group radius
radius-server host X.X.X.X auth-port 1645 acct-port 1646
radius-server key xxxxxxx
From the switch, connectivity to the RADIUS server has been verified. What we have are two groups defined in the RADIUS server. One is called Cisco Admins and the other is Cisco Users. We want the Admins to have enable rights whereas the users just login rights. The way the config is set up above, the users in the admin group are able to login to the switch straight into enable mode. However, the userids in the users group are not able to login at all.
All I need is for the userids in the users group to be able to login without and enable rights. We have used the service-type settings in the RADIUS server with no avail. Does anyone else have this same setup or experienced the same problems?
Thanks ahead of time!
Way
04-28-2003 09:00 PM
If the admin users are going straight into enable mode, then you must have set the privilege level on the admin group to 15, probably by setting a AV pair of the type:
> shell:priv-lvl=15
or by setting the IETF Radius attribute 6, Service-Type, to "Administrative".
All you need to do is for the user group, either send the AV pair "priv-lvl=1", or set the service-type attribute to Login. The users will login with privilegel level 1 which is the normal login, if you then don't tell them what the enable password is then they won't have access to it. Because you've configured exec authorization, you do need to send down some exec parameter otherwise they'll fail and not get in (which is what you're seeing).
If you want to specifically stop them typing the enable command, then that means you have to do command authorization, and that doesn't exist for Radius, you'd have to use TACACS for that. Simplest way is to change the enable password and don't tell anyone what it is, your admins don't need to know what it is cause the log straight into enable mode, and your users certainly don't need to know it.
04-29-2003 01:45 AM
When you said: "Because you've configured exec authorization, you do need to send down some exec parameter otherwise they'll fail and not get in (which is what you're seeing)"...did you mean that RADIUS should send the exec parameter? Or, did you mean I need a command that will decipher what the Service-Type is set? I was a little confused by this statement.
At this point, I would like the users group to just log into priviledge level 1. When I get the users logging in normal and the admins loging into enable automatically I will worry about restricting the enable command.
Please let me know what you think!
Thanks again for the help!
Way
05-04-2003 10:36 PM
Sorry for the delay in responding. I meant that the Radius server has to send something down for every user, since the router is expecting it. For your admin users, send down "priv-lvl=15", for your normal users send down "priv-lvl=1". That should get you going.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide