topic Can you show us the AAA in Network Access Control

OpenLDAP / FreeRadius and authentication/authorization

ppalmerjr — Mon, 11 Mar 2019 06:37:56 GMT

I have a what I consider to be an issue. I'm running OpenLDAP integrated with FreeRadius and I have a NetworkAdmins group configured. This group, I want to have full priv15 and the users should drop into enable mode upon their initial successful log in. I've added the below to the /etc/raddb/users file but for some reason it still asks for an enable password.

Service-Type = NAS-Prompt-User,
        cisco-avpair :="shell:priv-lvl=15"

I have it working to where the user can authenticate into enable/exec mode but that only works when I create a user "$enab15$" and a password. It appears when you type enable in the cisco it sends another authentication request to FreeRadius with that name.

My goal is to have two LDAP groups

1. NetworkAdmins - privilege level 15

2. NetworkOperators - privilege level 1

There has to be a way to do this.

Any suggestions?

Can you show us the AAA

Javier Henderson — Fri, 01 Apr 2016 11:42:10 GMT

Can you show us the AAA configuration on your router? I suspect you're missing exec authorization.

Javier Henderson

Cisco Systems

I do have that command...and

ppalmerjr — Fri, 01 Apr 2016 15:06:18 GMT

I do have that command...and I figured out what the issue was. Here it is....

I had to do the following in the /etc/raddb/users file

DEFAULT LDAP-Group := NetworkAdmins <----this is your LDAP group to be allowed

Server-Type = NAS-Prompt-Users,

cisco-avpair = "shell:priv-lvl=15"

From here I'm going to add another LDAP group with level 1 and see if I can get that to work.

Thanks for your response!