Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
793
Views
5
Helpful
1
Replies

need some clarification plz: tacacs / radius

rvinny___
Level 1
Level 1

‎07-19-2004 12:39 PM - edited ‎03-10-2019 07:54 AM

I want to allow tty access for users and restrict them to only certain enabled commands (sh ip route, ip route, sh run, etc) - I poured through the online documentation and examples of RADIUS vs. TACACS and feel like I am missing one major point. Which AAA scheme do I *have* to use to accomplish this? Cisco's site said that both types will work, I have read on boards that only TACACS will work - (most config examples show RADIUS is more for PPP authentication)

I have freeRADIUS running and had no problems setting it up for authentication and accounting. It's setting the authorization levels that I dont get. I can get as far as allowing a user to log in as exec mode or enabled (with full rights) but not enabled and limited to certain commands. Is it possible? I also have the tac+ port on my Unix box but wanted to stick with radius if possible. I know we were able to set up our ATM switches using radius and dictionary files. Is that an option for the routers? thx - I'm stumped.

Labels:
0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎07-19-2004 08:18 PM

The Radius protocol does NOT support command authorization. Radius does authentication/authorization all at once, right at the beginning, there is nothing in the spec that allows for ongoing authorization commands to be sent off to a AAA server every time someone types in a command.

So, for command authorization you have to use TACACS.

Customers Also Viewed These Support Documents