Radius authorization

[ac1dh3ad]

Hi,
I have managed to set up IAS and switch to authenticate and authorize users for user OR exec mode. Now i wonder if it is possible to authorize users and grant privelege according to the user's group membership. Suppose two AD groups, one for read-only access and other for read-write access. As i understand, it is something to do with Vendor Specific Attributes but i am not sure. Any advices, examples, links?

 

[burtsbees]

Try looking at Cisco ACS...

Burt

 

[ac1dh3ad]

Finally, i have found out the solution.
Shortly, you will need to define two policies in IAS for each AD group to match desired group name, set unencrypted authentication, edit service-type attribute to login, remove framed-protocol attribute, add cisco-av-pair attribute with text "shellriv-lvl=15" for one policy and with text "shellriv-lvl=7" for other.
On the switch you will need to do as below,

aaa new-model
aaa authentication login default group radius local
aaa authentication enable default group radius none
aaa authorization exec default group radius if-authenticated
aaa authorization command 15 default group radius if-authenticated
radius-server host 1.1.1.1
radius-server key p4ssw0rd

Hope it will help somebody