RE: Cisco Command authorization

[Herbert Maosa]

1. To do thi is not trivial. It will require you to put all the commands that you want the users to execute in a custom command level on the cisco router. For example you can think of all the allowed commands and put them in level 5. Once you do that, you can now use radius to authorize the use the commands in that command level as such   aaa new-model                                                  # starting AAA services on  the router aaa authorization command 5 group radius           # All level 5 commands, which you have declared, are authorized against the radius server.   2. You have to have a way of identifying your users ( eg by ip address, network address, etc etc ). Assuming you have a user on address 10.0.3.3 allowed to use telnet, the allowing him/her is a question of doing the following in your ACL   Access-list 101 permint tcp host 10.0.3.3 any eq telnet     # Permit 10.0.3.3 to use telnet Access-list 101 deny tcp any any eq telnet                      # Deny everyone else to use telnet Access-list 101 permit ip any any                                    # Permit all other ip traffic   Just somewhere for you to start from. Regards, Herbert. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lim Han Shyong Sent: 06 December 2004 03:14 To: Free-Radius (E-mail) Subject: Cisco Command authorization   Hi all:       I would like use freeradius to authenticate telnet service into cisco. Its work after setup. So now my further questions are . 1. How i configure the command authorization with freeradius? which mean i only allow user to enter certain command during the telnet session. 2. How i build the access list to restrict user who can telnet?