Can you show us the AAA

ppalmerjr · ‎03-31-2016

I have a what I consider to be an issue. I'm running OpenLDAP integrated with FreeRadius and I have a NetworkAdmins group configured. This group, I want to have full priv15 and the users should drop into enable mode upon their initial successful log in. I've added the below to the /etc/raddb/users file but for some reason it still asks for an enable password.

Service-Type = NAS-Prompt-User,
        cisco-avpair :="shell:priv-lvl=15"

I have it working to where the user can authenticate into enable/exec mode but that only works when I create a user "$enab15$" and a password. It appears when you type enable in the cisco it sends another authentication request to FreeRadius with that name.

My goal is to have two LDAP groups

1. NetworkAdmins - privilege level 15

2. NetworkOperators - privilege level 1

There has to be a way to do this.

Any suggestions?

Javier Henderson · ‎04-01-2016

Can you show us the AAA configuration on your router? I suspect you're missing exec authorization.

Javier Henderson

Cisco Systems

ppalmerjr · ‎04-01-2016

I do have that command...and I figured out what the issue was. Here it is....

I had to do the following in the /etc/raddb/users file

DEFAULT LDAP-Group := NetworkAdmins <----this is your LDAP group to be allowed

Server-Type = NAS-Prompt-Users,

cisco-avpair = "shell:priv-lvl=15"

From here I'm going to add another LDAP group with level 1 and see if I can get that to work.

Thanks for your response!

OpenLDAP / FreeRadius and authentication/authorization