cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
622
Views
30
Helpful
14
Replies
kapydan88
Participant

Freeradius and sh run for user account with priveleged 5

Hello for everybody.

 

We have freeradius for authentication for switch management

 

root@radius:~# freeradius -v
freeradius: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Aug 26 2015 at 14:47:03
Copyright (C) 1999-2011 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
root@radius:~#

 

I create user with next parameters

 

user   Cleartext-Password := user123
          Service-Type = NAS-Prompt-User,
          Cisco-AVPair = "shell:roles=network-operator",
          Cisco-AVPair += "shell:priv-lvl=5"

 

With this account, i can connect to the switch without problem. But I need to add permission to view the full configuration "show running-config" for this account, and this can not be done in any way. 

I tried via 

privilege exec level 5 more system:running-config

privilege exec level 5 show running-config

privilege exec level 5 show

but all these ways was unsuccesfull.

 

Is it possible to allow see "sh run" for user account with priveleged level 5? Tried with different switches - like 2960 or 9300.

1 ACCEPTED SOLUTION

Accepted Solutions

At this stage i can suggest the below commands to see if that works, if not we need some debug enable on the radius and device-side to see what is happening.

 

privilege exec all level 7 show running-config
file privilege 7

 



BB


*** Rate All Helpful Responses ***

View solution in original post

14 REPLIES 14
balaji.bandi
VIP Expert

Look at av-pair commands :

 

https://wiki.freeradius.org/vendor/Cisco#enable-mode_per-user-privilege-level

 



BB


*** Rate All Helpful Responses ***

Thank you for this link. I read it before creating this question. But my problem is with "sh run" output - it doesn't work.

 

Cisco-AVPair += "shell:priv-lvl=15", tried 5-10
Cisco-AVPair = "shell:cmd=show"

post complete config of the device and attach freeradius config to understand what is missing.

 



BB


*** Rate All Helpful Responses ***

Configs in attach

 

aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa accounting exec default start-stop group radius
!

...

radius-server host 10.96.6.49 auth-port 1812 acct-port 1813
radius-server key 7 1534195F360A2F753D77
privilege exec level 1 copy running-config tftp
privilege exec level 7
privilege exec level 7 show running-config
privilege exec level 7 show
!

as such i do noit see any config issue here :

privilege exec level 7    <<- blank line remove from cisco.

 

on the radius side change ths config to user as below - save and restart the radius service

user Cleartext-Password := "user123"
       Service-Type = NAS-Prompt-User,
           Cisco-AVPair = "shell:priv-lvl=7"

 

Let us know outcome ( you can also enable freeradius in debug mode, so you can easily understand the logs why its is not working as expected).

 

what freeradius version ?

 



BB


*** Rate All Helpful Responses ***

Thank you for answer.

Now it works, but i can see empty config from this user account with priveleged level 7.

 

sw_10#sh run
Building configuration...

Current configuration : 198 bytes
!
! Last configuration change at 21:19:54 MSK Sat Feb 27 2021 by kn_98
! NVRAM config last updated at 10:12:18 MSK Wed Feb 3 2021 by kn_98
!
boot-start-marker
boot-end-marker
!
!
!
!
!
!
end

sw_10#shw
sw_10#shwo
sw_10#show pri
sw_10#show privilege
Current privilege level is 7
sw_10#

 

This is part from config with admin account

sw_10#sh run | i priv
privilege exec level 7 show running-config
privilege exec level 7 show
sw_10#

 

This is user account from freeradius server

user  Cleartext-Password := user123
        Service-Type = NAS-Prompt-User,
        Cisco-AVPair += "shell:priv-lvl=7"

 

Freeradius version is FreeRADIUS Version 2.1.12.

thank you for the feedback, hope all working as expected? if no further assistance required, please mark it as the solution and it will be helpful for other community users.

 



BB


*** Rate All Helpful Responses ***

The fact is that with such settings, switch doesnt display the entire configuration. I checked also with startup-config with new catalyst 9300.

 

OF-01-SW-121#sh run | i priv
privilege exec level 7 show startup-config
privilege exec level 7 show running-config full
privilege exec level 7 show running-config view full
privilege exec level 7 show running-config view
privilege exec level 7 show running-config all
privilege exec level 7 show running-config
privilege exec level 7 show
OF-01-SW-121#

 

And what i can see with priveleged level 7 user account

OF-01-SW-121#sh priv
OF-01-SW-121#sh privilege
Current privilege level is 7
OF-01-SW-121#show sta
OF-01-SW-121#show start
OF-01-SW-121#show startup-config
Using 27281 out of 2097152 bytes
OF-01-SW-121#show runn
OF-01-SW-121#show running-config
OF-01-SW-121#show running-config ?
aaa Show AAA configurations
all Configuration with defaults
cts Show CTS configurations
full full configuration
interface Show interface configuration
ip IPv4 subcommands
ipv6 IPv6 subcommands
mdns-sd Show mDNS-SD configurations
view View options
vrf Show VRF aware configuration
| Output modifiers
<cr> <cr>

OF-01-SW-121#show running-config all
OF-01-SW-121#show running-config full
OF-01-SW-121#show running-config view
OF-01-SW-121#show running-config view full
OF-01-SW-121#

At this stage i can suggest the below commands to see if that works, if not we need some debug enable on the radius and device-side to see what is happening.

 

privilege exec all level 7 show running-config
file privilege 7

 



BB


*** Rate All Helpful Responses ***

View solution in original post

I believe that what we are seeing is a long standing behavior of IOS. In trying to do show run for a user whose privilge level is less than 15 the user can see only things in the config that they are allowed to configure. From a security perspective this makes sense - if they are prevented from changing some parameter why would you show them that parameter? But the very strange thing is that the same restriction does not apply to show startup, which allows a user with limited privilege level to see the complete startup config. It is inconsistent but it has been this way for many years.

HTH

Rick

I think that this is feature of the IOS/IOS-XE itself.

 

Perhaps this can be done with local authentication, if you specify what and who can see and configure.

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/23383-showrun.html

 

Maybe this functionality can be implemented via tacacs, but not radius. In my previous job, I set up a similar permission for tech.support to view some data on Cisco routers and switches, but I did it via ACS 5.2 or 5.3.

Its almost working version for 16.12.02 ios-xe.

 

OF-01-SW-121#sh ver | i 16.12.02
Cisco IOS XE Software, Version 16.12.02
Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.12.02, RELEASE SOFTWARE (fc2)
* 1 53 C9300L-48P-4X 16.12.02 CAT9K_IOSXE INSTALL
OF-01-SW-121#

 

Unfortunately, switch doesnt allow to view the running-config, but it allows you to see the startup-config without any problems. When it is considered that russning-config is the same with strartup-config it is what we need.

 

OF-01-SW-121#sh run | i priv
file privilege 7
privilege exec level 7 show startup-config
privilege exec level 7 show
OF-01-SW-121#

Daniel Frey
Cisco Employee

Thank you for this link, but it valid only for local authentication.

Content for Community-Ad