Re: exec authorization with radius..

diptanshusingh · ‎09-04-2007

Hi guys, i was configuring auth-proxy . i had a

m/c---(inside)router(outside)---internet

now i want that a normal user is not able to get the telnet access of my router, only certain users can have the telnet access fromt the inside. i dont want to use NAR. i want to do this only with radius authorization.

i was looking for controlling the access of the users to the router with the help of radius,

aaa authorization exec default group tacacs+

when i use the above command i knw that i can control the shell access by checking shell box,but when i use the below command

aaa authorization exec default group radius

i was not able to find any particular radius av-pair which can control the exec shell access in respect to the above one.

rochopra · ‎09-05-2007

Following is the av-pair for privilege level 15

shell:priv-lvl=15

In Addition also select attribute 6

Service-type = login

~Rohit

diptanshusingh · ‎09-05-2007

Hi rohit, i am looking to deny a specific user from getting the exec shell of my router with radius authorization.. the above attributes will assign a user a priv level 15...

rochopra · ‎09-06-2007

So do not assign any privilege level to the user , or assign privilege level 0.

~Rohit

Premdeep Banga · ‎09-08-2007

Hi,

Make use of this,

shell:priv-lvl=15

shell:autocmd=exit

So what will happen with this is, as soon as user tries to log into shell, BOOM!, user will exit out.

NOTE: I have not tried this exactly, but should work, you might be required to use separator, ";" i.e.,

shell:priv-lvl=15;

shell:autocmd=exit

Regards,

Prem