topic exec authorization with radius.. in Network Access Control

exec authorization with radius..

diptanshusingh — Sun, 10 Mar 2019 22:22:25 GMT

Hi guys, i was configuring auth-proxy . i had a

m/c---(inside)router(outside)---internet

now i want that a normal user is not able to get the telnet access of my router, only certain users can have the telnet access fromt the inside. i dont want to use NAR. i want to do this only with radius authorization.

i was looking for controlling the access of the users to the router with the help of radius,

aaa authorization exec default group tacacs+

when i use the above command i knw that i can control the shell access by checking shell box,but when i use the below command

aaa authorization exec default group radius

i was not able to find any particular radius av-pair which can control the exec shell access in respect to the above one.

Re: exec authorization with radius..

rochopra — Wed, 05 Sep 2007 07:38:23 GMT

Following is the av-pair for privilege level 15

shell:priv-lvl=15

In Addition also select attribute 6

Service-type = login

~Rohit

Re: exec authorization with radius..

diptanshusingh — Wed, 05 Sep 2007 07:57:20 GMT

Hi rohit, i am looking to deny a specific user from getting the exec shell of my router with radius authorization.. the above attributes will assign a user a priv level 15...

Re: exec authorization with radius..

rochopra — Fri, 07 Sep 2007 01:00:53 GMT

So do not assign any privilege level to the user , or assign privilege level 0.

~Rohit

Re: exec authorization with radius..

Premdeep Banga — Sat, 08 Sep 2007 15:54:38 GMT

Hi,

Make use of this,

shell:priv-lvl=15

shell:autocmd=exit

So what will happen with this is, as soon as user tries to log into shell, BOOM!, user will exit out.

NOTE: I have not tried this exactly, but should work, you might be required to use separator, ";" i.e.,

shell:priv-lvl=15;

shell:autocmd=exit

Regards,

Prem