02-08-2013 08:19 AM - edited 03-10-2019 08:04 PM
Using freeradius2-2.1.12. I need to setup read-write access for both Cisco NX-OS and IOS devices. I did the following,
DEFAULT Group == operator-rw, Auth-Type = System
Service-Type = NAS-Prompt-User,
cisco-avpair := "shell:roles*\"network-admin vdc-admin priv-lvl=15\""
I can log into both NX-OS and IOS devices; however, IOS devices only permits exec mode not the privileged exec (enable) mode.
Is there a different syntax that can make this work for both NX-OS and IOS?
Norman
02-08-2013 08:58 PM
As you have noticed IOS and NX-OS are a little bit different. With NX-OS there isn't a "disabled" mode but just netowrk roles. For IOS can try pushing for example "cisco-avpair =shell:priv-lvl=7" and then define a local priv level 7 on the network device with the needed commands
Thank you for rating!
02-10-2013 07:25 PM
I did a debug and found out that IOS won't accept avpair that includes the "role"... I got around this by adding a new cisco-avpair with += and aaa authorization exec default group radius if-authenticated
02-10-2013 07:35 PM
So what privilege level do you get with this? Doesn't this just put you in a priv level 15?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide