Re: Second level authentication..
On Fri 20 Jul 2007, ashish verma wrote: Hi Ivan, What i meant is you type enable but the password you give should be authenticated by RADIUS server not the enable password stored on the device. I am not sure whether it is possible or not. But just wanted to know from the experts. Are you even reading the replies that people send you? The is the 3rd time we are giving you the same link. Stop. Drink a coffee and read: http://wiki.freeradius.org/Cisco If you don't understand it, READ IT AGAIN! -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Second level authentication..
Dana 20/7/2007, ashish verma [EMAIL PROTECTED] piše: av I dont want the user to go directly in priv mode. av through priv level = 15 we direclty get into priv level right. av what i am looking for is first the user get into user level and av then with av another av password in level 2. (not with enable password)..it should be av through RADIUS av server Hi Ivan, What i meant is you type enable but the password you give should be authenticated by RADIUS server not the enable password stored on the device. I am not sure whether it is possible or not. But just wanted to know from the experts. Thanks, Ashish OK. I'm done with flaming, let's go over thing you can and can't do: - you can store enable passwords on the radius server instead of locally - you can't use radius and not use machine-specific enable password [av(not with enable password)] - you can use radius as a single step authentication method to give users access to privileged mode directly by returning priv-lvl attribute in their profile (leave out priv-lvl attribute if you don't want them to have privileged access) - you can't use single authetication method and have different passwords for different access levels *unless* enable password is machine-specific (ie. same one for all users) - if you different passwords for user and prevelege modes you will need to use two different authentication methods (radius and tacacs+): aaa authentication login default group radius aaa authentication enable default group tacacs+ Now user will log onto the device with his radius password and he will be prompted for username/password by tacacs when he types enable. I don't think that you can use authorization (aaa authorization exec ...) in this scenario. You have to return priv-lvl 15 for enable to gain privileged access but that authorization will be passed onto login users as well (you cant split user exec and privileged exec authorization, at least I don't know a way) giving them privileged access straight away and defeating the second level authentication. And I can't predict how well would things work without authorization. My guess is that they will but you won't be able to return any parameters to the user (no privilege or command restrictions etc.). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Second level authentication.
You want a shell user to get to privilege mode without typing enableand knowing enable password? I am quite certain that Cisco spent many years making sure that's impossible. If you find a way to do that you can blackmail them for a hell of a lot of money. Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, ashish verma [EMAIL PROTECTED] piše: Hi Stefan, I read the document and thanks for giving the link, that was helpful. Well I think i put my question in a wrong way. Let me put it in a different way. I dont want the user to go directly in priv mode. through priv level = 15 we direclty get into priv level right. what i am looking for is first the user get into user level and then with another password in level 2. (not with enable password)..it should be through RADIUS server. Ashish - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Second level authentication.
Hi ashish, First of all, WHY you will need such a setup? Afaik, cisco will send a request to radius for user '$enable15$' whenever someone tries to "enable". Run freeradius in debug mode (radiusd -X) and then login as one of your users. Type "enable" and the cisco will send a request to the radiusd. From the debugging session, save that request. Logout, login on cisco as another username. Type "enable" and the same password. From the debugging radius session, save the new request. If you see any relevant differences between the two requests, you may be able to make freeradius do what you want. If the requests are the same, you realize there is no way to figure out the user behind each request. Best regards, Claudiu Filip @:[EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 Thursday, July 19, 2007, 7:51:30 PM, you wrote: I dont want the user to go directly in priv mode. through priv level = 15 we direclty get into priv level right. what i am looking for is first the user get into user level and then with another password in level 2. (not with enable password)..it should be through RADIUS server. Ashish - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Second level authentication.
Hi, You want a shell user to get to privilege mode without typing enableand knowing enable password? I am quite certain that Cisco spent many years making sure that's impossible. If you find a way to do that you can blackmail them for a hell of a lot of money. err, TACACS+ with priv_lvl 15 - they helped write that protocol alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html