Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2062
Views
0
Helpful
6
Replies

Configuring Radius Authentication/Authorization on a 6509

kimlong
Level 1
Level 1

‎03-17-2005 11:59 AM - edited ‎03-10-2019 02:03 PM

Hello,

I can't seem to find the commands to do what I need. I have a 6509 running 7.5.1 Cat OS. I want the Radius server to authenticate and authorize privilege based on the user database in Radius. Could someone point me to the set commands to do this?

The way it is now, no matter what attributes are given to the user in the Radius db, they are can execute 'enable' and type the password and they are in enable mode.

Thanks,

Kim

Labels:
0 Helpful
6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

‎03-18-2005 08:14 AM

Would you post the configuration you have for authentication? It sounds to me like you have configured user login to use radius but have not configured enable access to use radius. It would be easier to find your answer if we can see the config.

HTH

Rick

HTH

Rick
0 Helpful

kimlong
Level 1
Level 1
In response to Richard Burts

‎03-19-2005 06:07 AM

Hi Rick,

Unfortunately, I am unable to post the config. However, it sems like it would only be a one line command to do what you suggest. Can you provide the command line to enter?

Thanks,

Kim

0 Helpful

Tim Glen
Cisco Employee
Cisco Employee

‎03-20-2005 05:50 PM

Hey

I dont think this can be done with Cat OS. I know if your running IOS and the RADIUS servers sends a Cisco AV Pair of shell:priv-lvl=15 the the IOS box will set you up with Enable Access. However this does not work when it is sent to any of my CatOS boxes. I looked a few months back and wasnt able to find a way to do it.

Timo

0 Helpful

kimlong
Level 1
Level 1
In response to Tim Glen

‎03-23-2005 05:04 AM

Thanks for your help.

Kim

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to kimlong

‎03-23-2005 06:56 AM

Kim

We configure our Catalyst 6500 switches with these commands:

set authentication enable tacacs enable console primary

set authentication enable tacacs enable telnet primary

and it works fine for us. When a user enters the enable command the switch sends an authentication request to the tacacs server and if the user is not configured for enable access in the server then the attmept is denied.

I know this works for us with tacacs. I do not believe that there is any significant difference between tacacs and radius though I am not able to verify the function on radius. I did test this on a switch running 7.6(6) and believe that the functionality should be the same on your switch running 7.5(1).

HTH

Rick

HTH

Rick
0 Helpful

kimlong
Level 1
Level 1
In response to Richard Burts

‎03-30-2005 05:01 AM

Hi Rick,

The big difference between RADIUS and TACACS is

that RADIUS is 'open source' and TACACS is Cisco

Proprietary :-) So, implementing TACACS on Cisco

products is really sweet. Not so much on the RADIUS

side, though. Cat OS is the fly in the ointment.

With IOS commands I found the 'attribute' command which would allow RADIUS to utilize TACACS attributes. At least, that's what it looks like at

first glance. I haven't been able to read through the doc at this time.

Thanks to everyone for your suggestions. I appreciate your time.

Kim

0 Helpful
Customers Also Viewed These Support Documents