cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
209
Views
0
Helpful
0
Replies
Highlighted

The Cisco Radius dilemma

Hello,

 

i´ve ran into a dilemma when trying to authenticate users versus a radius backend (freeradius) when trying to grant a privilege level < 15. Devices are ASA appliances as well as IOS routers and switches. Seems that these device families do not play well together when using the same radius backend.

Finally, it tracks down to the fact that the ASA seems to need a radius service type of "Administrative-User" in order to allow the "enable" command at all. With that service type given, I can successfully assign a privilege level using the attribute "ASA-Privilege-Level". So far so good.

The problem now arises when an IOS device uses the same radius config. Seeing the service type of "Administrative-User", the device always assigns a privilege level of 15 and seems to ignore what we pass over in the Cisco-AVPair (shell:priv-lvl). Getting IOS devices to work requires a change of the service type to e.g. NAS-Prompt which then works good with IOS but does not allow the user to use the "enable" command on the ASA.

 

Probably I am missing something obvious and hopefully one of you guys can enlighten me.

 

Thanks alot,

Heri

0 REPLIES 0
Content for Community-Ad