Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Using RADIUS and AAA on IOS routers and switches to secure logins.

Hello all.

My co-worker and I are trying to get AAA working the way we want it to work with RADIUS ( which may not be possible). The following is the config we have on a 3548 XL switch:

aaa new-model

aaa authentication login default group radius local

aaa authorization exec default group radius

aaa accounting commands 15 default start-stop group radius

radius-server host X.X.X.X auth-port 1645 acct-port 1646

radius-server key xxxxxxx

From the switch, connectivity to the RADIUS server has been verified. What we have are two groups defined in the RADIUS server. One is called Cisco Admins and the other is Cisco Users. We want the Admins to have enable rights whereas the users just login rights. The way the config is set up above, the users in the admin group are able to login to the switch straight into enable mode. However, the userids in the users group are not able to login at all.

All I need is for the userids in the users group to be able to login without and enable rights. We have used the service-type settings in the RADIUS server with no avail. Does anyone else have this same setup or experienced the same problems?

Thanks ahead of time!

Way

3 REPLIES
Cisco Employee

Re: Using RADIUS and AAA on IOS routers and switches to secure l

If the admin users are going straight into enable mode, then you must have set the privilege level on the admin group to 15, probably by setting a AV pair of the type:

> shell:priv-lvl=15

or by setting the IETF Radius attribute 6, Service-Type, to "Administrative".

All you need to do is for the user group, either send the AV pair "priv-lvl=1", or set the service-type attribute to Login. The users will login with privilegel level 1 which is the normal login, if you then don't tell them what the enable password is then they won't have access to it. Because you've configured exec authorization, you do need to send down some exec parameter otherwise they'll fail and not get in (which is what you're seeing).

If you want to specifically stop them typing the enable command, then that means you have to do command authorization, and that doesn't exist for Radius, you'd have to use TACACS for that. Simplest way is to change the enable password and don't tell anyone what it is, your admins don't need to know what it is cause the log straight into enable mode, and your users certainly don't need to know it.

New Member

Re: Using RADIUS and AAA on IOS routers and switches to secure l

When you said: "Because you've configured exec authorization, you do need to send down some exec parameter otherwise they'll fail and not get in (which is what you're seeing)"...did you mean that RADIUS should send the exec parameter? Or, did you mean I need a command that will decipher what the Service-Type is set? I was a little confused by this statement.

At this point, I would like the users group to just log into priviledge level 1. When I get the users logging in normal and the admins loging into enable automatically I will worry about restricting the enable command.

Please let me know what you think!

Thanks again for the help!

Way

Cisco Employee

Re: Using RADIUS and AAA on IOS routers and switches to secure l

Sorry for the delay in responding. I meant that the Radius server has to send something down for every user, since the router is expecting it. For your admin users, send down "priv-lvl=15", for your normal users send down "priv-lvl=1". That should get you going.

399
Views
0
Helpful
3
Replies