|
Author
|
Topic: RADIUS: place user in privilege level 7
|
allan16
Specialist
Member # 29777
Rate Member
|
posted December 24, 2011 02:10 PM
Hello,
Question says to place radius user in privilege level 7 upon login. I have the following configured:
RADIUS CLIENT:
aaa new-model
aaa authentication login REMOTE group radius local
aaa authentication enable default group radius enable
aaa authorization exec REMOTE group radius
ip radius source-interface Loopback0
radius-server host 192.168.1.2 auth-port 1645 acct-port 1646
radius-server key CISCO
line vty 0 4
password cisco
authorization exec REMOTE
login authentication REMOTE
ACS server:
I have the client configured with the loopback IP.
I have the RADIUS key set to CISCO
I have the authentication method set to RADIUS
[009\001] cisco-av-pair
Attriubute above is set to: shell:priv-lvl=7
[006] Service-Type
Attribute above is set to ADMINISTRATIVE
TEST: User NOC is the one where these RADIUS attriubutes are configured.
Rack1R3#telnet 150.1.2.2
Trying 150.1.2.2 ... Open
User Access Verification
Username: noc
Password:
Rack1R2#sh privi
Current privilege level is 15
Posts: 83 | From: Costa Rica | Registered: May 2010
| IP: Logged
|
|
allan16
Specialist
Member # 29777
Rate Member
|
posted December 24, 2011 03:03 PM
i see the following when debugging authentication and authorization
Rack1R2(config)#
*Dec 24 23:17:24.891: AAA/BIND(00000032): Bind i/f
*Dec 24 23:17:24.891: AAA/AUTHEN/LOGIN (00000032): Pick method list 'REMOTE'
Rack1R2(config)#
*Dec 24 23:17:26.639: AAA/AUTHOR/EXEC(00000032): processing AV priv-lvl=7
*Dec 24 23:17:26.639: AAA/AUTHOR/EXEC(00000032): processing AV priv-lvl=15
*Dec 24 23:17:26.639: AAA/AUTHOR/EXEC(00000032): processing AV service-type=6
*Dec 24 23:17:26.639: AAA/AUTHOR/EXEC(00000032): Authorization successful
It sees the attribute with privilege level 7 but its also getting privilege level 15 from somewhere? I dont know from where
Posts: 83 | From: Costa Rica | Registered: May 2010
| IP: Logged
|
|
allan16
Specialist
Member # 29777
Rate Member
|
posted December 24, 2011 03:32 PM
After troubleshooting. I got it to work by changing the attribute in the ACS user profile:
[006] Service-Type --> NAS PROMPT
Why did this service type worked? The solution for the question does not have this marked down?
Thanks
Posts: 83 | From: Costa Rica | Registered: May 2010
| IP: Logged
|
|
allan16
Specialist
Member # 29777
Rate Member
|
posted December 24, 2011 03:33 PM
Rack1R3#telnet 150.1.2.2
Trying 150.1.2.2 ... Open
User Access Verification
Username: noc
Password:
Rack1R2#sh privi
Current privilege level is 7
Rack1R2#
Posts: 83 | From: Costa Rica | Registered: May 2010
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted December 24, 2011 07:14 PM
service-Type ADMINISTRATIVE give priv 15. When using cisco avs, doesn't need to use IEFT service type.
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
allan16
Specialist
Member # 29777
Rate Member
|
posted December 26, 2011 06:27 PM
quote:
Originally posted by Kingsley Charles (CCSP, CCNP, CCIP):
service-Type ADMINISTRATIVE give priv 15. When using cisco avs, doesn't need to use IEFT service type.
With regards
Kings
Ok so you are saying that in order for the NOC user to be able to get the privilege 7 access I dont need to have the "IETF RADIUS Attributes" more specifically "[006] Service-Type" ?
If I uncheck/disable this option and just leave for the NOC user enabled whats below it does NOT work
[009\001] cisco-av-pair --> shell:priv-lvl=7
see the test:
Rack1R3#telnet 150.1.2.2
Trying 150.1.2.2 ... Open
User Access Verification
Username: noc
Password:
% Authorization failed.
[Connection to 150.1.2.2 closed by foreign host]
Rack1R3#
---------------------
Now if I enable the "IETF RADIUS Attributes" like i had it before:
[006] Service-Type --> NAS PROMPT
It does work --> See below
Rack1R3#telnet 150.1.2.2
Trying 150.1.2.2 ... Open
User Access Verification
Username: noc
Password:
Rack1R2#sh privi
Current privilege level is 7
Rack1R2#
------------
Thanks
Posts: 83 | From: Costa Rica | Registered: May 2010
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted December 26, 2011 07:05 PM
Have you enabled aaa authorization exec?
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
allan16
Specialist
Member # 29777
Rate Member
|
posted December 26, 2011 07:07 PM
I have:
Rack1R2(config)#do sh run | inc aaa
aaa new-model
aaa authentication login default group radius local
aaa authentication login CONSOLE none
aaa authentication enable default group radius enable
aaa authorization console
aaa authorization exec default group radius local
aaa authorization exec CONSOLE none
aaa session-id common
Rack1R2(config)#
Posts: 83 | From: Costa Rica | Registered: May 2010
| IP: Logged
|
|
UBBFriend: Email this page to someone!
Printer-friendly view of this topic