topic Re: ACE Radius Authentication in Application Networking

ACE Radius Authentication

jrbeining — Sun, 25 Jan 2009 21:22:08 GMT

I have radius authentication configured on my ACEs. I can login just fine but I am assinged to the Network-Monitor Role. Where can I configure the role that radius users are assigned to? Is there a return list attribute?

-Joshua

Re: ACE Radius Authentication

Collin Clark — Mon, 26 Jan 2009 14:38:23 GMT

I did it via the CLI.

ACE-Top/Admin(config)# username dude password whooa role ?

Admin

Network-Admin

Network-Monitor

Security-Admin

Server-Appln-Maintenance

Server-Maintenance

SLB-Admin

SSL-Admin

Hope that helps.

Re: ACE Radius Authentication

ciscocsoc — Mon, 26 Jan 2009 16:21:13 GMT

Hi,

See the ACE Security Guide - Chapter 2. You need to set a CiscoAVPair. How you do this will depend on the RADIUS software that you are using. You're being put into Network-Monitor by default. Quote from the manual:

"The user profile attribute serves an important configuration function for a RADIUS server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, a default role (Network-Monitor) and a default domain (default-domain) are assigned to the user if the authentication is successful."

HTH

Cathy

Re: ACE Radius Authentication

jrbeining — Mon, 26 Jan 2009 16:48:42 GMT

Setting a return list attribute of 'shell:Admin=Admin default-domain' resolved the issue. Thanks.

Re: ACE Radius Authentication

Collin Clark — Mon, 26 Jan 2009 21:42:51 GMT

Arrr! Totally forgot about that. Good one Cathy.

Re: ACE Radius Authentication

jteixido — Thu, 29 Jan 2009 16:48:02 GMT

Where is the command entered?

Re: ACE Radius Authentication

ciscocsoc — Thu, 29 Jan 2009 16:54:52 GMT

On the RADIUS server itself. How this is done will depend on the RADIUS application. ACS is different to FreeRADIUS is different to Radiator. You'll need to check the documentation for your RADIUS server to see how it handles AV-Pairs.

HTH

Cathy

Re: ACE Radius Authentication

glenn.ong — Tue, 17 Feb 2009 08:09:49 GMT

Great topic..i found this very helpful.

Just to add on a bit. Depends on your RADIUS implementation, taking freeradius for example, if you use multiple cisco-avpair statement you may want to use * instead of = in your attribute statement to make it optional (similar to the 'optional' keyword you may use for TACACS+ authentication for ACE). Without it, authorisation with other IOS devices may break.

Re: ACE Radius Authentication

jteixido — Mon, 05 Apr 2010 20:25:14 GMT

I'm having the same problem using Free-Radius, where exactly on Free-Radius do we have to enter the return list attribute?

John...

Re: ACE Radius Authentication

jteixido — Tue, 06 Apr 2010 20:53:31 GMT

Team,

After some tinkering, I was able to authenticate to the ACE module with full admin privileges via radius using free-radius. I used the following steps to get this working:

On the linux CLI I entered the following command to modify the users file of free-radius "gedit /etc/raddb/users"

I then added the following to the users file:

admin Auth-Type := Local, User-Password == "password"

Service-Type = NAS-Prompt-User,

cisco-avpair = "shell:Admin=Admin default-domain

I saved the file.

I then stopped and started the radiusd service.

/sbin/service radiusd stop

/sbin/service radiusd start

Regards,

John...