Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
593
Views
0
Helpful
3
Replies

Cisco-avpair for both NX-OS and IOS

normanzhang
Level 1
Level 1

‎02-08-2013 08:19 AM - edited ‎03-10-2019 08:04 PM

Using freeradius2-2.1.12. I need to setup read-write access for both Cisco NX-OS and IOS devices. I did the following,

DEFAULT Group == operator-rw, Auth-Type = System

         Service-Type = NAS-Prompt-User,

         cisco-avpair := "shell:roles*\"network-admin vdc-admin priv-lvl=15\""

I can log into both NX-OS and IOS devices; however, IOS devices only  permits exec mode not the privileged exec (enable) mode.

Is there a different syntax that can make this work for both NX-OS and IOS?

Norman

Labels:
0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎02-08-2013 08:58 PM

As you have noticed IOS and NX-OS are a little bit different. With NX-OS there isn't a "disabled" mode but just netowrk roles. For IOS can try pushing for example "cisco-avpair =shell:priv-lvl=7" and then define a local priv level 7 on the network device with the needed commands

Thank you for rating!


0 Helpful

normanzhang
Level 1
Level 1
In response to nspasov

‎02-10-2013 07:25 PM

I did a debug and found out that IOS won't accept avpair that includes the "role"... I got around this by adding a new cisco-avpair with += and aaa authorization exec default group radius if-authenticated

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to normanzhang

‎02-10-2013 07:35 PM

So what privilege level do you get with this? Doesn't this just put you in a priv level 15?

0 Helpful
Customers Also Viewed These Support Documents