AAA Auth with RSA RADIUS

cbuzzard · ‎05-27-2004

Has anyone been able to get 'aaa authorization commands 15 default group radius local' working with RSA's RADIUS functionality in ACE5.1?

Here is our config:

aaa authentication login default local-case

aaa authentication enable default enable

aaa authentication login RemoteAdmin group radius local-case

aaa authorization exec RemoteAdmin group radius local

aaa authorization network RemoteAdmin group radius local

aaa authorization commands 15 default group radius local

aaa accounting exec default start-stop group radius

aaa accounting connection default start-stop group radius

aaa accounting network RemoteAdmin stop-only group radius

aaa accounting exec RemoteAdmin stop-only group radius

aaa accounting connection RemoteAdmin stop-only group radius

The user authenticates fine and is dumped into Exec with privlige of 15, however trying to runn any command fails, output below:

#sho running-config

Command authorization failed.

#sho privilege

Current privilege level is 15

Here is a debug of authorization during this process, I see that when the user is being defined it has a service of NONE, not sure if that is related.

.May 27 09:25:54 EDT: AAA/BIND(00000056): Bind i/f

.May 27 09:26:03 EDT: AAA/AUTHOR/EXEC(00000056): processing AV reply-message=PASSCODE Accepted --Mor

.May 27 09:26:03 EDT: AAA/AUTHOR/EXEC(00000056): processing AV priv-lvl=15

.May 27 09:26:03 EDT: AAA/AUTHOR/EXEC(00000056): Authorization successful

.May 27 09:26:06 EDT: AAA: parse name=tty98 idb type=-1 tty=-1

.May 27 09:26:06 EDT: AAA: name=tty98 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=98 channel=0

.May 27 09:26:06 EDT: AAA/MEMORY: create_user (0x63C6D6F8) user='cbuzzard' ruser='dr04-pkx' ds0=0 po

rt='tty98' rem_addr='10.28.4.50' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (i

d=0)

.May 27 09:26:06 EDT: tty98 AAA/AUTHOR/CMD(4163804388): Port='tty98' list='' service=CMD

.May 27 09:26:06 EDT: AAA/AUTHOR/CMD: tty98(4163804388) user='cbuzzard'

.May 27 09:26:06 EDT: tty98 AAA/AUTHOR/CMD(4163804388): send AV service=shell

.May 27 09:26:06 EDT: tty98 AAA/AUTHOR/CMD(4163804388): send AV cmd=show

.May 27 09:26:06 EDT: tty98 AAA/AUTHOR/CMD(4163804388): send AV cmd-arg=running-config

.May 27 09:26:06 EDT: tty98 AAA/AUTHOR/CMD(4163804388): send AV cmd-arg=<cr>

.May 27 09:26:06 EDT: tty98 AAA/AUTHOR/CMD(4163804388): found list "default"

.May 27 09:26:06 EDT: tty98 AAA/AUTHOR/CMD(4163804388): Method=radius (radius)

.May 27 09:26:06 EDT: AAA/AUTHOR (4163804388): Post authorization status = FAIL

.May 27 09:26:06 EDT: AAA/MEMORY: free_user (0x63C6D6F8) user='cbuzzard' ruser='router' port='tty9

8' rem_addr='x.x.x.x' authen_type=ASCII service=NONE priv=15 vrf= (id=0)

On the ACE RADIUS server we have these defined in the user profile:

Service-Type - Administrative-User

Vendor-Specific - "shell:priv-lvl=15"

I have opened a case with RSA as well, but thought I'd see if anyone here had been successful.

Thanks!!!

chad

gfullage · ‎05-27-2004

Radius doesn't support command authorization, only TACACS. This will never work, it is a limitation with the Radius protocol, nothing to do with RSA or the router.

Basically Radius combines Authentication and Authorization right at the start. When you initially authenticate via Radius, the Radius server can, at that time, send some back some authorization parameters like the privilege level, etc. But, there is nothing in the protocol that defines how it will, at some later stage after authentication, send the command to be authorized. Only TACACS does this, Radius does not.