05-12-2008 07:43 AM - edited 03-05-2019 10:54 PM
Hi
I've setup radius authentication on my 3560 switch, what I'd like to do next is setup authorization but I'm struggling to find much on this. In particular I'm actually looking for the process of assigning particular commands to a user, can somone please advise me on this?
So for example I wan user joe to be allowed to go into interface and vlan configuration mode and run some show commands but restrict access to all the others, any thoughts?
Thanks
Dan
Solved! Go to Solution.
05-12-2008 09:07 AM
try this config.
aaa new-model
aaa authentication login vtyline group radius local
aaa authentication login con-none none
aaa authorization exec vtyexec group radius local
aaa authorization exec conexec none
aaa authorization commands 1 comm1 group radius local
aaa authorization commands 1 comm-con-none none
aaa authorization commands 10 comm10 group radius local
aaa authorization commands 10 comm-con-none none
aaa authorization commands 15 comm15 group radius local
aaa authorization commands 15 comm-con-none none
!
username user1 privilege 10 password 7 user1
username user2 privilege 15 password 7 user1
!
privilege exec level 10 show run
privilege exec level 15 show!
line con 0
exec-timeout 0 0
authorization commands 1 comm-con-none
authorization commands 10 comm-con-none
authorization commands 15 comm-con-none
authorization exec conexec
login authentication con-none
line aux 0
authorization commands 1 comm-con-none
authorization commands 10 comm-con-none
authorization commands 15 comm-con-none
authorization exec conexec
login authentication con-none
line vty 0 4
authorization commands 1 comm1
authorization commands 10 comm10
authorization commands 15 comm15
authorization exec vtyexec
login authentication vtyline
05-13-2008 02:43 AM
Dan, it is possible but you need to get the user at the privilege level. You can do this two ways - one is to get the user to type enable
enable password level 10 cisco
enable password level 15 c1sc0
Alternatively (and this is how I do it) is you can send the enable level as a Cisco AV-Pair from the Radius server so the user is automatically at the required privilege level when they authenticate. I use MS IAS and have multiple Remote-Access policies defined on the servers. I have created security groups in AD - Cisco-Level-10, Cisco-Level-15 etc. I then make the user a member of the relevent group. I check for group membership via IAS and then map the user to the IAS policy. In each of the policies is a Cisco-AV pair to set the privilege level:
For level 15 users:
shell:priv-lvl=15
For level 10 users:
shell:priv-lvl=10
HTH
Andy
05-12-2008 09:07 AM
try this config.
aaa new-model
aaa authentication login vtyline group radius local
aaa authentication login con-none none
aaa authorization exec vtyexec group radius local
aaa authorization exec conexec none
aaa authorization commands 1 comm1 group radius local
aaa authorization commands 1 comm-con-none none
aaa authorization commands 10 comm10 group radius local
aaa authorization commands 10 comm-con-none none
aaa authorization commands 15 comm15 group radius local
aaa authorization commands 15 comm-con-none none
!
username user1 privilege 10 password 7 user1
username user2 privilege 15 password 7 user1
!
privilege exec level 10 show run
privilege exec level 15 show!
line con 0
exec-timeout 0 0
authorization commands 1 comm-con-none
authorization commands 10 comm-con-none
authorization commands 15 comm-con-none
authorization exec conexec
login authentication con-none
line aux 0
authorization commands 1 comm-con-none
authorization commands 10 comm-con-none
authorization commands 15 comm-con-none
authorization exec conexec
login authentication con-none
line vty 0 4
authorization commands 1 comm1
authorization commands 10 comm10
authorization commands 15 comm15
authorization exec vtyexec
login authentication vtyline
05-13-2008 01:08 AM
Hi
Thanks for the config.
Just a little question if I have user Joe authenticating via radius how can I link the username i.e Joe to the privilege level? without having to specify a password on the local database? Basically we've got all user details in a single database shared access via radius and active directory?
In your example you;ve listed users locally, how could I link them through radius?
Thanks
Dan
05-13-2008 02:43 AM
Dan, it is possible but you need to get the user at the privilege level. You can do this two ways - one is to get the user to type enable
enable password level 10 cisco
enable password level 15 c1sc0
Alternatively (and this is how I do it) is you can send the enable level as a Cisco AV-Pair from the Radius server so the user is automatically at the required privilege level when they authenticate. I use MS IAS and have multiple Remote-Access policies defined on the servers. I have created security groups in AD - Cisco-Level-10, Cisco-Level-15 etc. I then make the user a member of the relevent group. I check for group membership via IAS and then map the user to the IAS policy. In each of the policies is a Cisco-AV pair to set the privilege level:
For level 15 users:
shell:priv-lvl=15
For level 10 users:
shell:priv-lvl=10
HTH
Andy
05-13-2008 03:03 AM
Andrew has a point out there and i feel he has explained it best.
You can refer to this link on cisco.But it has username and password on router.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide