Re: overlapping cisco avpairs (UCS+IOS)
On 06/03/13 11:28, Øystein Gyland wrote: On 03/06/2013 03:21 AM, Jimmy Stewpot wrote: Hello, We have always had the Cisco-AVPAIR of "shell:priv-lvl=15" which has been working for some time. With the Cisco UCS platform we need to introduce an additional shell: variable which looks like this "shell:roles=admin". Your mileage may vary, but as the "Cisco-AvPair=shell:priv-lvl=15" is equivalent to "Service-Type = Administrative-User" this might work: DEFAULT LDAP-Group == "Network Full Access" Service-Type := Administrative-User Cisco-AVpair +="shell:roles=admin" Another option is to use a Huntgroup or similar to conditionally return specific attributes e.g. raddb/huntgroups: NXOSNAS-IP-Address == 192.0.2.1 NXOSNAS-IP-Address == 192.0.2.2 IOS NAS-IP-Address == 192.0.2.3 raddb/users: DEFAULT Huntgroup-Name == NXOS, Ldap-Group == "Network Full Access" Cisco-AVPAIR = "shell:roles=admin" DEFAULT Huntgroup-Name == IOS, Ldap-Group == "Network Full Access" Cisco-AVPAIR = "shell:priv-lvl=15" The "huntgroups" file is read by the "preprocess" module IIRC so make sure that module is loaded. You can of course use something other than huntgroups - anything that identifies what type of NAS it is (e.g. an SQL lookup, LDAP, etc.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: overlapping cisco avpairs (UCS+IOS)
On 03/06/2013 03:21 AM, Jimmy Stewpot wrote: Hello, We have always had the Cisco-AVPAIR of "shell:priv-lvl=15" which has been working for some time. With the Cisco UCS platform we need to introduce an additional shell: variable which looks like this "shell:roles=admin". Your mileage may vary, but as the "Cisco-AvPair=shell:priv-lvl=15" is equivalent to "Service-Type = Administrative-User" this might work: DEFAULT LDAP-Group == "Network Full Access" Service-Type := Administrative-User Cisco-AVpair +="shell:roles=admin" This seems to work on Nexus switches (VSA based attributes) and IOS 12.2/12.3 based Catalyst switches. It breaks authorization on IOS 12.1. -Øystein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: overlapping cisco avpairs (UCS+IOS)
If request is from UCS then reply with the required UCS reply attribute, else send back your old reply attribute. This can be done by either using the client-identifier attribute and unlang, or by using a new virtual-server instance... well, it can actually be done by at least another 3 ways but they are the 2 methods I'd choose from Alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
overlapping cisco avpairs (UCS+IOS)
Hello, For some time we have been using freeradius to provide authentication to our networking estate. Recently we introduced the Cisco UCS. The problem that we now have is it appears that we have a conflict in the VSA attributes required to provide the right levels of access to end users. We have always had the Cisco-AVPAIR of "shell:priv-lvl=15" which has been working for some time. With the Cisco UCS platform we need to introduce an additional shell: variable which looks like this "shell:roles=admin". I have tried to add the variables to our users file with a += but the values are never accepted by the end Cisco device. It seems that only the first-to-be-received is actually activated on the Cisco device. I have bene playing around with various formats in the users file without any success. I am interested to know if anyone else has had such issues and if so what the solution is? I am currently running with Freeradius v2.1.12 provided as a part of the Redhat EL6 distro. We have our users in an Active Directory tree using the ldap plugin. our users file looks like this currently. DEFAULT LDAP-Group == "Network Full Access" Cisco-AVPAIR="shell:priv-lvl=15" I've tried the following DEFAULT LDAP-Group == "Network Full Access" Cisco-AVPAIR="shell:priv-lvl=15, roles=admin" - Fails.. both networking and UCS result in read-only or no access. DEFAULT LDAP-Group == "Network Full Access" Cisco-AVPAIR="shell:priv-lvl=15,roles=admin" - Fails.. both networking and UCS result in read-only or no access. DEFAULT LDAP-Group == "Network Full Access" Cisco-AVPAIR="shell:priv-lvl=15", Cisco-AVPAIR+="shell:roles=admin" - Works with the switch/router estate but not with UCS. If i do a debug on the device it always matches the first entry in the returned attributes and discards the second. If I remove the priv-lvl=15 and only have shell:roles=admin and it works for UCS but the switch and router estate fails. Any assistance would be greatly appreciated. Regards, Jimmy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html