02-26-2021 08:36 AM
Hello for everybody.
We have freeradius for authentication for switch management
root@radius:~# freeradius -v
freeradius: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Aug 26 2015 at 14:47:03
Copyright (C) 1999-2011 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
root@radius:~#
I create user with next parameters
user Cleartext-Password := user123
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:roles=network-operator",
Cisco-AVPair += "shell:priv-lvl=5"
With this account, i can connect to the switch without problem. But I need to add permission to view the full configuration "show running-config" for this account, and this can not be done in any way.
I tried via
privilege exec level 5 more system:running-config
privilege exec level 5 show running-config
privilege exec level 5 show
but all these ways was unsuccesfull.
Is it possible to allow see "sh run" for user account with priveleged level 5? Tried with different switches - like 2960 or 9300.
Solved! Go to Solution.
02-27-2021 11:33 AM
At this stage i can suggest the below commands to see if that works, if not we need some debug enable on the radius and device-side to see what is happening.
privilege exec all level 7 show running-config
file privilege 7
02-26-2021 09:41 AM
Look at av-pair commands :
https://wiki.freeradius.org/vendor/Cisco#enable-mode_per-user-privilege-level
02-26-2021 01:54 PM
Thank you for this link. I read it before creating this question. But my problem is with "sh run" output - it doesn't work.
Cisco-AVPair += "shell:priv-lvl=15", tried 5-10
Cisco-AVPair = "shell:cmd=show"
02-27-2021 01:55 AM
post complete config of the device and attach freeradius config to understand what is missing.
02-27-2021 08:11 AM
Configs in attach
aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa accounting exec default start-stop group radius
!
...
radius-server host 10.96.6.49 auth-port 1812 acct-port 1813
radius-server key 7 1534195F360A2F753D77
privilege exec level 1 copy running-config tftp
privilege exec level 7
privilege exec level 7 show running-config
privilege exec level 7 show
!
02-27-2021 09:01 AM
as such i do noit see any config issue here :
privilege exec level 7 <<- blank line remove from cisco.
on the radius side change ths config to user as below - save and restart the radius service
user Cleartext-Password := "user123"
Service-Type = NAS-Prompt-User,
Cisco-AVPair = "shell:priv-lvl=7"
Let us know outcome ( you can also enable freeradius in debug mode, so you can easily understand the logs why its is not working as expected).
what freeradius version ?
02-27-2021 10:29 AM
Thank you for answer.
Now it works, but i can see empty config from this user account with priveleged level 7.
sw_10#sh run
Building configuration...
Current configuration : 198 bytes
!
! Last configuration change at 21:19:54 MSK Sat Feb 27 2021 by kn_98
! NVRAM config last updated at 10:12:18 MSK Wed Feb 3 2021 by kn_98
!
boot-start-marker
boot-end-marker
!
!
!
!
!
!
end
sw_10#shw
sw_10#shwo
sw_10#show pri
sw_10#show privilege
Current privilege level is 7
sw_10#
This is part from config with admin account
sw_10#sh run | i priv
privilege exec level 7 show running-config
privilege exec level 7 show
sw_10#
This is user account from freeradius server
user Cleartext-Password := user123
Service-Type = NAS-Prompt-User,
Cisco-AVPair += "shell:priv-lvl=7"
Freeradius version is FreeRADIUS Version 2.1.12.
02-27-2021 10:32 AM
thank you for the feedback, hope all working as expected? if no further assistance required, please mark it as the solution and it will be helpful for other community users.
02-27-2021 11:09 AM
The fact is that with such settings, switch doesnt display the entire configuration. I checked also with startup-config with new catalyst 9300.
OF-01-SW-121#sh run | i priv
privilege exec level 7 show startup-config
privilege exec level 7 show running-config full
privilege exec level 7 show running-config view full
privilege exec level 7 show running-config view
privilege exec level 7 show running-config all
privilege exec level 7 show running-config
privilege exec level 7 show
OF-01-SW-121#
And what i can see with priveleged level 7 user account
OF-01-SW-121#sh priv
OF-01-SW-121#sh privilege
Current privilege level is 7
OF-01-SW-121#show sta
OF-01-SW-121#show start
OF-01-SW-121#show startup-config
Using 27281 out of 2097152 bytes
OF-01-SW-121#show runn
OF-01-SW-121#show running-config
OF-01-SW-121#show running-config ?
aaa Show AAA configurations
all Configuration with defaults
cts Show CTS configurations
full full configuration
interface Show interface configuration
ip IPv4 subcommands
ipv6 IPv6 subcommands
mdns-sd Show mDNS-SD configurations
view View options
vrf Show VRF aware configuration
| Output modifiers
<cr> <cr>
OF-01-SW-121#show running-config all
OF-01-SW-121#show running-config full
OF-01-SW-121#show running-config view
OF-01-SW-121#show running-config view full
OF-01-SW-121#
02-27-2021 11:33 AM
At this stage i can suggest the below commands to see if that works, if not we need some debug enable on the radius and device-side to see what is happening.
privilege exec all level 7 show running-config
file privilege 7
02-27-2021 02:22 PM
I believe that what we are seeing is a long standing behavior of IOS. In trying to do show run for a user whose privilge level is less than 15 the user can see only things in the config that they are allowed to configure. From a security perspective this makes sense - if they are prevented from changing some parameter why would you show them that parameter? But the very strange thing is that the same restriction does not apply to show startup, which allows a user with limited privilege level to see the complete startup config. It is inconsistent but it has been this way for many years.
02-28-2021 02:12 AM
I think that this is feature of the IOS/IOS-XE itself.
Perhaps this can be done with local authentication, if you specify what and who can see and configure.
Maybe this functionality can be implemented via tacacs, but not radius. In my previous job, I set up a similar permission for tech.support to view some data on Cisco routers and switches, but I did it via ACS 5.2 or 5.3.
02-28-2021 01:57 AM
Its almost working version for 16.12.02 ios-xe.
OF-01-SW-121#sh ver | i 16.12.02
Cisco IOS XE Software, Version 16.12.02
Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.12.02, RELEASE SOFTWARE (fc2)
* 1 53 C9300L-48P-4X 16.12.02 CAT9K_IOSXE INSTALL
OF-01-SW-121#
Unfortunately, switch doesnt allow to view the running-config, but it allows you to see the startup-config without any problems. When it is considered that russning-config is the same with strartup-config it is what we need.
OF-01-SW-121#sh run | i priv
file privilege 7
privilege exec level 7 show startup-config
privilege exec level 7 show
OF-01-SW-121#
02-26-2021 09:59 AM
02-26-2021 01:14 PM
Thank you for this link, but it valid only for local authentication.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide