03-17-2005 11:59 AM - edited 03-10-2019 02:03 PM
Hello,
I can't seem to find the commands to do what I need. I have a 6509 running 7.5.1 Cat OS. I want the Radius server to authenticate and authorize privilege based on the user database in Radius. Could someone point me to the set commands to do this?
The way it is now, no matter what attributes are given to the user in the Radius db, they are can execute 'enable' and type the password and they are in enable mode.
Thanks,
Kim
03-18-2005 08:14 AM
Would you post the configuration you have for authentication? It sounds to me like you have configured user login to use radius but have not configured enable access to use radius. It would be easier to find your answer if we can see the config.
HTH
Rick
03-19-2005 06:07 AM
Hi Rick,
Unfortunately, I am unable to post the config. However, it sems like it would only be a one line command to do what you suggest. Can you provide the command line to enter?
Thanks,
Kim
03-20-2005 05:50 PM
Hey
I dont think this can be done with Cat OS. I know if your running IOS and the RADIUS servers sends a Cisco AV Pair of shell:priv-lvl=15 the the IOS box will set you up with Enable Access. However this does not work when it is sent to any of my CatOS boxes. I looked a few months back and wasnt able to find a way to do it.
Timo
03-23-2005 05:04 AM
Thanks for your help.
Kim
03-23-2005 06:56 AM
Kim
We configure our Catalyst 6500 switches with these commands:
set authentication enable tacacs enable console primary
set authentication enable tacacs enable telnet primary
and it works fine for us. When a user enters the enable command the switch sends an authentication request to the tacacs server and if the user is not configured for enable access in the server then the attmept is denied.
I know this works for us with tacacs. I do not believe that there is any significant difference between tacacs and radius though I am not able to verify the function on radius. I did test this on a switch running 7.6(6) and believe that the functionality should be the same on your switch running 7.5(1).
HTH
Rick
03-30-2005 05:01 AM
Hi Rick,
The big difference between RADIUS and TACACS is
that RADIUS is 'open source' and TACACS is Cisco
Proprietary :-) So, implementing TACACS on Cisco
products is really sweet. Not so much on the RADIUS
side, though. Cat OS is the fly in the ointment.
With IOS commands I found the 'attribute' command which would allow RADIUS to utilize TACACS attributes. At least, that's what it looks like at
first glance. I haven't been able to read through the doc at this time.
Thanks to everyone for your suggestions. I appreciate your time.
Kim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide