Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1638
Views
0
Helpful
3
Replies

Using RADIUS and AAA on IOS routers and switches to secure logins.

w.brunson
Level 1
Level 1

‎04-28-2003 03:18 PM - edited ‎02-21-2020 10:06 AM

Hello all.

My co-worker and I are trying to get AAA working the way we want it to work with RADIUS ( which may not be possible). The following is the config we have on a 3548 XL switch:

aaa new-model

aaa authentication login default group radius local

aaa authorization exec default group radius

aaa accounting commands 15 default start-stop group radius

radius-server host X.X.X.X auth-port 1645 acct-port 1646

radius-server key xxxxxxx

From the switch, connectivity to the RADIUS server has been verified. What we have are two groups defined in the RADIUS server. One is called Cisco Admins and the other is Cisco Users. We want the Admins to have enable rights whereas the users just login rights. The way the config is set up above, the users in the admin group are able to login to the switch straight into enable mode. However, the userids in the users group are not able to login at all.

All I need is for the userids in the users group to be able to login without and enable rights. We have used the service-type settings in the RADIUS server with no avail. Does anyone else have this same setup or experienced the same problems?

Thanks ahead of time!

Way

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎04-28-2003 09:00 PM

If the admin users are going straight into enable mode, then you must have set the privilege level on the admin group to 15, probably by setting a AV pair of the type:

> shell:priv-lvl=15

or by setting the IETF Radius attribute 6, Service-Type, to "Administrative".

All you need to do is for the user group, either send the AV pair "priv-lvl=1", or set the service-type attribute to Login. The users will login with privilegel level 1 which is the normal login, if you then don't tell them what the enable password is then they won't have access to it. Because you've configured exec authorization, you do need to send down some exec parameter otherwise they'll fail and not get in (which is what you're seeing).

If you want to specifically stop them typing the enable command, then that means you have to do command authorization, and that doesn't exist for Radius, you'd have to use TACACS for that. Simplest way is to change the enable password and don't tell anyone what it is, your admins don't need to know what it is cause the log straight into enable mode, and your users certainly don't need to know it.

0 Helpful

w.brunson
Level 1
Level 1
In response to gfullage

‎04-29-2003 01:45 AM

When you said: "Because you've configured exec authorization, you do need to send down some exec parameter otherwise they'll fail and not get in (which is what you're seeing)"...did you mean that RADIUS should send the exec parameter? Or, did you mean I need a command that will decipher what the Service-Type is set? I was a little confused by this statement.

At this point, I would like the users group to just log into priviledge level 1. When I get the users logging in normal and the admins loging into enable automatically I will worry about restricting the enable command.

Please let me know what you think!

Thanks again for the help!

Way

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to w.brunson

‎05-04-2003 10:36 PM

Sorry for the delay in responding. I meant that the Radius server has to send something down for every user, since the router is expecting it. For your admin users, send down "priv-lvl=15", for your normal users send down "priv-lvl=1". That should get you going.

0 Helpful
Customers Also Viewed These Support Documents