12-28-2013 06:18 AM - edited 03-10-2019 09:13 PM
Hi,
I'm deploing auth-proxy services on my ISR 1861. I'm using a Cloudessa public RADIUS Service.
It works fine. I'have only one problem. It seems that in group policies i can define only one string attribute Cisco-AVPair string.
I try to explain better .. I can choice all RFC and Vendor well known attributes ... i can select multiple types attribute (Session-Timeout, Service-Type, and so on ...) and i can insert the desired value for each of these attributes ... attributes are correctely sent to Router (debug radius). If i insert Cisco-AVPair attribute i can insert a string with attribute in single line ... for example auth-proxy:priv-lvl=15 (mandatory) ... but i can't add another Cisco-AVPair attribute string to add ACL ...
for example
auth-proxy:proxyacl#1=deny ip any 62.149.128.40
auth-proxy:proxyacl#2=permit ip any any
so the question is ...
Is there a way to insert in a single Cisco-AVPair attribute string for example:
auth-proxy:priv-lvl=15
auth-proxy:proxyacl#1=deny ip any 62.149.128.40
auth-proxy:proxyacl#2=permit ip any any
in order to instruct the router to use it ?
I'v tried using <R> or \r ... comma and space with and without double quotes
auth-proxy:priv-lvl=15<R>auth-proxy:proxyacl#1=deny ip any 62.149.128.40
"auth-proxy:priv-lvl=15" <R>a "uth-proxy:proxyacl#1=deny ip any 62.149.128.40"
auth-proxy:priv-lvl=15,auth-proxy:proxyacl#1=deny ip any 62.149.128.40
"auth-proxy:priv-lvl=15";auth-proxy:proxyacl#1=deny ip any 62.149.128.40"
... and so on
but nothing it seems to works fine.
I've opened a tocket to Cloudessa and i'm awaitng for a response ...
someone can help me ?
is it possibile define multiple attributes in ona string ?
Thank you very much
12-30-2013 10:25 PM
Hi,
It looks as if the radius dictionary for the cisco-av-pair should support multiple attributes, there is even an example on how to acheive this in the guide (a little dated ACS 4.0).
In most of my designs for auth-proxy I have had to enter each cisco-av-pair with each proxy-acl#1...statement so it seems to me as if there maybe a bug in your radius solution not allowing as many cisco-av-pair in your authorization profile.
Thanks,
Tarik Admani
*Please rate helpful posts*
11-18-2014 04:52 PM
Reply attribute should use a += operator for additional avpairs:
admin Cleartext-Password := 1234QWer Service-Type = Administrative-User, Cisco-AVPair = "shell:roles=network-admin", Cisco-AVPair += "shell:priv-lvl=15" ops Cleartext-Password := 1234QWer Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:roles=network-operator", Cisco-AVPair += "shell:priv-lvl=1" tom Auth-Type := System Service-Type = Administrative-User, Cisco-AVPair = "shell:roles=network-admin", Cisco-AVPair += "shell:priv-lvl=15"
From http://www.layerzero.nl/blog/2013/05/using-freeradius-with-cisco-devices/
12-30-2013 11:29 PM
Hi,
Thank you ...
You are right ... it's a for sure a Radius limitation. I've already wirtten to Cloudessa support ... i written to Cisco Support Forum too wishing for a workaround or a way to insert multiple AV row in a single entry.
If multiple AV Pair in a single strin entry and Caloudessa doesn't fix i'm stucked ...
Cloudessa is the only free Radius as Service found in Internet ...
thank you again.
12-30-2013 11:39 PM
If you have a tacacs solution you can move this integration over to there. However you will need to doublecheck all attributes and profiles to make sure the same users isnt gaining full access to any other device if TACACS is used as your centralized administration authority.
Thanks,
Tarik Admani
*Please rate helpful posts*
02-09-2016 04:58 AM
Hi,
Did you manage to send multiple AV pairs from cloudessa to cisco eqipement?
I am facing the same issue with proxy acl.
Regards,
Branimir Turk
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide