02-05-2009 11:41 PM - edited 03-10-2019 04:19 PM
In my network i have different devices and authentication to devices are via ACS with Radius (IETF).
To some users i want to configure a read-only access to these devices which are all sharing radius IETF attribute between ACS.
Thanks & Regards
HG
02-06-2009 02:44 PM
Read only, full access and user access are all depending on the privilege level that the user is assigned via the authentication server. This is not as simple as setting a value on radius that the router will understand as defining only read access to some users. You have to play with the privilege-level Vendor Specific Attribute (shell:priv-lvl=#) when you do this what you will do is to put the user into specific mode, user mode 0 or 1, 2-14 (custom) EXEC mode (15) however after doing this you need to give users access to specific commands. What I mean is that if you place the user on level 1, when the user issues the show run or some other command, then the only thing he will be able to do is to see the configuration for the commands or parts of it that are relevant to privilege level 1. My advise is to use instead TACACS and perform command authorization:
02-08-2009 10:36 PM
Thanx for the reply,But what my concern is i am using a non cisco device and authentication of user in these device are done via ACS.
So i need to seggregate user privillage via radius protocol attribute.
Regards
HG
02-09-2009 08:20 AM
In that case you will need to check with your vendor device what is the value they expect to receive when giving privilege level, on Cisco boxes the privilege level Vendor Specific Attribute is "shell:priv-lvl=#"
02-16-2009 10:21 AM
Here some related info:
RADIUS Exec Authorization
There is no command to enable RADIUS exec authorization. The alternative is to set the Service-Type (RADIUS attribute 6) to Administrative (a value of 6) in the RADIUS server to launch the user into enable mode in the RADIUS server. If the service-type is set for anything other than 6-administrative, for example, 1-login, 7-shell, or 2-framed, the user arrives at the switch exec prompt, but not the enable prompt.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094ea4.shtml#f
IETF RADIUS Attributes
[006] Service-Type= [1-7]
Same values apply for IOS:
Configuring Authorization
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093c81.shtml#config_auth
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide