RE: Cisco Access Levels (Solution)
I was looking more for how to setup the server itself, but I figured that out. For those interested, here is the complete solution. In my particular situation, I needed different access permissions for the network engineering and network operations groups... On the cisco side (very basic setup): aaa new-model aaa authentication login console radius [pick backup method!] aaa authorication exec radius [pick backup method] line con 0 login authentication console line vty 0 4 login authentication console line aux 0 login authentication console /usr/local/etc/raddb/users file: DEFAULT Group == "neteng", Auth-Type := System Service-Type = Shell-User, cisco-avpair = "shell:priv-lvl=15" DEFAULT Group == "netops", Auth-Type := System Service-Type = Shell-User, cisco-avpair = "shell:priv-lvl=1" On the server itself: Setup a group called neteng, and assign engineers to this group. Setup a group called netops, and assign operations people to this group. -- > > Hi All: > > > > I didn't see this in the FAQ, but I'm sure someone has done this before: > > > > I want to set the server up to authenticate/authorize telnet access > against > > the local linux user database. I need one group of users to have regular > old > > login access, and the other to have priviledge level (15) access. > > > > If there is an example of this somewhere, just point the way. > > > > I'm a newbie here, so please be gentle :) Thanks in advance for your help. > > > > -B > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Access Levels
Robert LaGrasse <[EMAIL PROTECTED]> wrote: > I want to set the server up to authenticate/authorize telnet access against > the local linux user database. I need one group of users to have regular old > login access, and the other to have priviledge level (15) access. > > If there is an example of this somewhere, just point the way. Look at the RADIUS requests coming in for each group of users, and construct 'users' file entries to match those requests, and give the response you want. The server does not, and can not, include example configurations for every single site-specific setups. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Access Levels
Actually, I believe this will work: aaa new-model ! ! aaa authentication login default local aaa authentication login group radius aaa authentication login localauth local group radius aaa authorization exec default local group radius aaa authorization network default local group radius aaa accounting delay-start aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius aaa session-id common - Original Message - From: "Steven Fries" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 31, 2003 6:38 AM Subject: Re: Cisco Access Levels > Refer to the cisco documentation under doc/cisco > > I use the local users on the router to authenticate telnet logins for > simplicity, but you can do it with: > > aaa new-model > aaa authentication login default group radius > aaa authorization exec default group radius > aaa authorization network default group radius > aaa accounting delay-start > aaa accounting exec default start-stop group radius > aaa accounting network default start-stop group radius > aaa processes 6 > > If you wish to use the cisco's users as a backup, which i HIGHLY recommend, > place local at the end of each line. If you're radius server is > misconfigured or down, the authentication will fallthrough to the cisco > device itself. > > Steven > > - Original Message - > From: "Robert LaGrasse" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, July 30, 2003 4:07 PM > Subject: Cisco Access Levels > > > > Hi All: > > > > I didn't see this in the FAQ, but I'm sure someone has done this before: > > > > I want to set the server up to authenticate/authorize telnet access > against > > the local linux user database. I need one group of users to have regular > old > > login access, and the other to have priviledge level (15) access. > > > > If there is an example of this somewhere, just point the way. > > > > I'm a newbie here, so please be gentle :) Thanks in advance for your help. > > > > -B > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Access Levels
Refer to the cisco documentation under doc/cisco I use the local users on the router to authenticate telnet logins for simplicity, but you can do it with: aaa new-model aaa authentication login default group radius aaa authorization exec default group radius aaa authorization network default group radius aaa accounting delay-start aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius aaa processes 6 If you wish to use the cisco's users as a backup, which i HIGHLY recommend, place local at the end of each line. If you're radius server is misconfigured or down, the authentication will fallthrough to the cisco device itself. Steven - Original Message - From: "Robert LaGrasse" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, July 30, 2003 4:07 PM Subject: Cisco Access Levels > Hi All: > > I didn't see this in the FAQ, but I'm sure someone has done this before: > > I want to set the server up to authenticate/authorize telnet access against > the local linux user database. I need one group of users to have regular old > login access, and the other to have priviledge level (15) access. > > If there is an example of this somewhere, just point the way. > > I'm a newbie here, so please be gentle :) Thanks in advance for your help. > > -B > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Access Levels
On Wed, 30 Jul 2003, Robert LaGrasse wrote: Someone had an sample posted the other day. I don't recall the exact syntax, but you could start with something like this. When you define the user in the users file I believe you will use this as a reply item. I have not tried sending vendor specific attributes to a cisco, so maybe someone else can provide a little more information. Hope this helps. cisco-avpair= "shell:priv-lvl=15" John McKinney > Hi All: > > I didn't see this in the FAQ, but I'm sure someone has done this before: > > I want to set the server up to authenticate/authorize telnet access against > the local linux user database. I need one group of users to have regular old > login access, and the other to have priviledge level (15) access. > > If there is an example of this somewhere, just point the way. > > I'm a newbie here, so please be gentle :) Thanks in advance for your help. > > -B > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco Access Levels
Hi All: I didn't see this in the FAQ, but I'm sure someone has done this before: I want to set the server up to authenticate/authorize telnet access against the local linux user database. I need one group of users to have regular old login access, and the other to have priviledge level (15) access. If there is an example of this somewhere, just point the way. I'm a newbie here, so please be gentle :) Thanks in advance for your help. -B - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html