Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

AAA Authorization Question

Status
Not open for further replies.
JohnPtrs

JohnPtrs

MIS
Jun 13, 2006
91
US
I am in the process of trying to get my Cisco IOS devices to authenticate to a RADIUS Server on my network and it is working, however I want to have two groups that can log in at different privilege levels... Is there a AAA Authorization command I can use on the IOS devices to set the users to their appropriate privilege level? I have a MS IAS server doing RADIUS and the users will be in two different Active Directory groups...

Here is the RADIUS setup I'm using->

conf t
aaa new-model

radius-server host 10.18.0.49 auth-port 1812 acct-port 1813 key C15K0!

aaa group server radius RadiusServers
server 10.18.0.49 auth-port 1812 acct-port 1813
exit

aaa authentication login default group RadiusServers local
exit

Thanks,

JP
 
Sort by date Sort by votes
I believe one requires TACACS+ to do different privilege levels. Radius will not work.
 
Upvote 0 Downvote
This should be possible with RADIUS by using Network Access Profiles:
This took me forever to figure out back when I first implemented. That's because RADIUS is "open" and TACACS is "commercial". Of course it's going to be much easier to implement TACACS, it's the same reason people choose Windows over Linux.

There is an attribute in IAS called "cisco-AV-Pair", what you do is you set up policies to forward requests based on username, group membership etc., to a particular policy when connecting to IAS. I believe what you define is: "shell:priv-lvl=15", which in turn gets passed back to the router doing the AAA and authorizes you at privlege level 15 (enable mode).

It's been a while for me since setting this up, but let me know if you get stuck, I'll try to help you out.
 
Upvote 0 Downvote
Hey, thanks for the article I'll make a run at it...

JP
 
Upvote 0 Downvote
OK, on my IAS (RADIUS) server I have it set up with the Cisco-AV-Pair and the "shell:priv-lvl=15" attribute set... Don't I need to have a AAA Authorization command on the IOS device to tell it to look to RADIUS for the Authorization? If so, do you know what the syntax would be for that?? Thanks!

JP
 
Upvote 0 Downvote
Well so far I have put in the following config, however it still just logs me in to the carrot prompt and not to enabled mode... when I do a show aaa servers command it doesn't look like its making any authorization requests as per the counters...

aaa new-model
aaa authentication password-prompt Password:
aaa authentication username-prompt Username:
aaa authentication login default group radius local
aaa authentication ppp default group radius local
aaa authorization network users group radius
 
Upvote 0 Downvote
On the RADIUS side, did you define a group and associate it with that Profile that's doing the priv-level=?? I'll have to get this up and running real quick on a switch. I seem to remember that the prompt doesn't change. Try doing a show privilege to see where you're at.
 
Upvote 0 Downvote
Basically I have an Active Directory group called Cisco15 and a Remote Access Policy on the IAS box that says for users of that group give them this attribute "shell:priv-lvl=15" after getting this working I was planning to create a seperate group and policy for level 1...

I did a show privilege command and it did say level 1 unfortunately... and when I do that show aaa servers command my Author: Requests is still at 0... It doesn't seem like its trying to request authorization info...

Thanks,

JP
 
Upvote 0 Downvote
So you're using the AD credentials, and it's accepting them? or at least it appears to be? Is there anything in your IAS logs on the server? I think they're under program files\ias or something like that.

I'll get this set up on a device tomorrow and see if I can duplicate your problem.
 
Upvote 0 Downvote
Yes it appears to be... I logon with my Win AD username and password...I used a combo of these two articles to set it up...



The below information is put into the Sytem Event Log-
Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 3/12/2007
Time: 1:24:28 PM
User: N/A
Computer: SHAPPS01
Description:
User petersjo was granted access.
Fully-Qualified-User-Name = SILVHOSPNET.ORG/Silverton Hospital/Information Services/John Peters
NAS-IP-Address = 10.18.11.46
NAS-Identifier = <not present>
Client-Friendly-Name = IS Bldg Switch
Client-IP-Address = 10.18.11.46
Calling-Station-Identifier = 10.18.22.126
NAS-Port-Type = Virtual
NAS-Port = 2
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Cisco Level 15
Authentication-Type = PAP
EAP-Type = <undetermined>

For more information, see Help and Support Center at Data:
0000: 00 00 00 00 ....
 
Upvote 0 Downvote
Well I got it working now... MS IAS is doing RADIUS auth for IOS devices and assigning privilege levels at login as per the remote access policies in IAS which are based on two AD groups... I like it!!!

JP
 
Upvote 0 Downvote
Ah, cool. Glad you got it working. I was just getting my setup going and saw that you figured it out. Good stuff, eh? Cuts down on time, and also allows you to let other people get into devices with minimal privileges.
 
Upvote 0 Downvote
I am also trying to set this up for a lab of mine.

I am able to login to the router/switch fine with my AD username and password, but I am not able to get to the different privilege levels.


I have two groups configured. level 1 and 15. I used the tutorial posted here:


I configured exactly step by step what was listed here.

my router config looks like this:

aaa new-model
!
!
aaa group server radius RadiusServer
server 10.0.0.1 auth-port 1812 acct-port 1813
!
aaa authentication password-prompt Password:
aaa authentication username-prompt Username:
aaa authentication login default group radius local
aaa authentication ppp default group radius local
aaa authorization network users group radius
aaa accounting network default start-stop group radius
aaa session-id common

radius-server host 10.0.0.1 auth-port 1812 acct-port 1813 key *****

The Remote Access Policies are created, the Windows-Group is specified, under "edit profile" , click on the advanced tab, the Service-Type is login and the Vendor-Specific is set to Radius Standard and the "shell:priv-lvl=15" attributes are set.

When I created the AD groups, I added the users I wanted to have permission. I noticied at first they could not login, I went under the User properties and selected the "Dial In" tab, then check marked "Allow Access", this allowed my devices to login to the router.

I was thinking well what if I selected "Use remote access policy" instead, but everytime I click APPLY, then OK after selecting, it takes the setting back to Deny Access.

So is there anything I am missing? I cannot figure out why it won't grant privilege level 15 to my account even though its set.

Thanks!
 
Upvote 0 Downvote
I am able to login to the router/switch fine with my AD username and password, but I am not able to get to the different privilege levels.
Click to expand...

Did you enable AAA Authorization for exec? You need that to get the IOS device to use the Cisco-AV Pair Radius attribute it receives from the server (shell:priv-lvl=15):

aaa authorization exec default group Radius-Server if-authenticated

HTH

Andy
 
Upvote 0 Downvote
I am guessing also you could create custom access level policies? For access levels between 2-14.

The policies would be configured on the cisco device I would assume.

Fun Stuff!
 
Upvote 0 Downvote
Hello Everybody,

First of all thanks for this threat. It was an excelent resource for me. I have been able to implement an MS IAS (integrated into AD) as RADIUS for my Cisco devices.

I created to AD groups: One for Level 1 and one for Level 15 (enable) access. If I login as a member of the Level15 group then I get right into enable mode on my Cisco device (NAME#). If I login as a member of my Level 1 group then I am logged in with no special rights (NAME>). However it is possible for a member of the Level 1 group to use the ENABLE command to elevate the rights to Level 15 once logged into the Cisco device.

Now here is my question: Since the Cisco device is always querying the RADIUS even for the statement of ENABLE, is it possible to restrict a Level 1 member to only stay at Level 1? I would like to prevent such a user from using the ENABLE statement to gain more rights? I would like to look at Level 1 as a READ-ONLY group that can maybe do a SHOW RUN but that would be it.

Is such a thing possible?

Thank you.
 
Upvote 0 Downvote
When using Radius for the enable secret/password Cisco IOS devices attempt to authenticate the username '$enab15$'. Simply not creating this account in AD will achive the result you want but make sure you are using Radius for enable:

aaa authentication enable default group Radius-Server enable

You could also create the account but don't tell anyone the password....

HTH

Andy
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
318
Zero6
Zero6
DigiByte34
  • Locked
  • Question
Need Help Cisco AAA to any RADIUS Software
Replies
9
Views
582
DigiByte34
DigiByte34
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
263
burtsbees
burtsbees
mkc1962
  • Locked
  • Question
Cisco 2602e connection question
Replies
0
Views
152
mkc1962
mkc1962
azrael2000
  • Locked
  • Question
quick question...re layer 3 with routing
Replies
1
Views
244
chieftan
chieftan

Part and Inventory Search

Sponsor

Back
Top