Radius server setup for a secondary AD usergroup

Pieter Johannes Venter · ‎03-07-2022

Hi all,

Radius configuration was rolled out on our devices and we can access them via AD credentials 100%

Now i tried to create a seconday Radius Group with a singe user to only be able to make our backups for our backup server,thus only allowing 1 command.

created a privilege exec level but when login in with specified account i still have full access.

Config:

aaa group server radius GTCGIJRADDV001.gijima.com
server-private *.*.*.* auth-port 1812 acct-port 1813 timeout 10 key 7 14533912010D1E080B00061808155420045958717A76650A371310731D0512420171285E031608703D562A450E27085C605B541E2D43232C3C542006382C21122062
ip radius source-interface Vlan31
!
aaa group server radius Radius1
server-private auth-port 1812 acct-port 1813 timeout 10 key 7 02422F42060F3B0263663C342F11413D0B5C2403060D02311618013C465317490C76770B0609467E61127F1300780508471042403055323A6C532223324447280C45
ip radius source-interface Vlan999
!
aaa authentication login default group radius local enable
aaa authentication login Radius1 group radius local enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec Access group radius if-authenticated
aaa accounting exec Access start-stop group radius

privilege exec level 7 sho running-config

line vty 0 4
exec-timeout 0 0
privilege level 15
authorization commands 7 Radius1
authorization commands 15 Access
authorization exec Access
accounting commands 7 Radius1
accounting commands 15 Access
accounting exec Access
logging synchronous
exec prompt timestamp
transport input telnet ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
authorization commands 7 Radius1
authorization commands 15 Access
authorization exec Access
accounting commands 7 Radius1
accounting commands 15 Access
accounting exec Access
logging synchronous
exec prompt timestamp
transport input telnet ssh
!

balaji.bandi · ‎03-07-2022

When you have 2 Radius Server, always use the first one, only 1st fails then the request go to next, there is no round robin radius load balance here.

so disable first radius and test it, make sure you have fall back local account and config, so dont lockup yourself.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Pieter Johannes Venter · ‎03-07-2022

Hi,

Is only 1 Radius server,but there was 2 seperate groups configured on the server

Group 1 for full access with specified credentials and a group 2 for read-only access with 1 specified user credential

balaji.bandi · ‎03-08-2022

Ok got it, what radius server is this ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Pieter Johannes Venter · ‎03-08-2022

hi,is normal Windows Radius server

balaji.bandi · ‎03-08-2022

Ok we can understand the setup now, why you have 2 Radius server configured on device, what cisco device is this.

we do have setup Cisco device with Windows radius, based on the user name user get right access, read only or admin priv

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Pieter Johannes Venter · ‎03-08-2022

OK,so maybe i misunderstood the config as i created the 2 server groups on the 1 server:

aaa group server radius GTCGIJRADDV001 - this was for AD Authentication

aaa group server radius Radius1 - this was to be the secondary group for read-only user

I removed the Radius1 aaa group now but can login with AD and specific user account and get full access.

Could you share the config your end that you have setup?

balaji.bandi · ‎03-09-2022

When you have 2 server in Group, that means if one faile other will take over.

If you looking to control user based on the lolgin read only or admin, then you need to have same policy on your MS radius side

below vide help step by step :

https://www.youtube.com/watch?v=r-GGDhYwc_k

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎03-07-2022

Hello,

you might be able to get this done by assigning a rotary to one VTY and then specify the login authentication group:

line vty 5
rotary 1
login authentication Radius1

This would mean the user needs to access port 3001 (telnet x.x.x.x 3001) in order to get authenticated by the second RADIUS group. You probably need to configure an access class on the other VTYs in order to prevent the user to access the other lines...