|
|
| Author |
Message |
psychogenic
Guest
|
 Posted: Tue Apr 25, 2006 3:12 pm Post subject: secure acs: tacacs+ and radius together |
 |
|
Has anyone succesfully implemented secure acs using both radius and
tacacs+ without the need to have two differernt servers? I'm planning
to rollout dot1x (which requires authentication to be done via radius)
but I also want command authorization from tacacs+ which I can't seem
to emulate with radius.
Thanks. |
|
| Back to top |
|
 |
|
|
psychogenic
Guest
|
| Posted: Tue Apr 25, 2006 4:50 pm Post subject: Re: secure acs: tacacs+ and radius together |
|
|
Hi Mark,
Thanks. Yes, I saw that with radius. However, I didn't know you can
fine tune it. Is this done on the local switch itself?
Mark Williams wrote:
| Quote: | It may not be exactly what you are looking for, but you can do
privilege level authorization with RADIUS.
aaa new-model
aaa authentication login myradius group radius local
aaa authorization exec my-authradius group radius if-authenticated
radius-server host w.x.y.z auth-port 1645 acct-port 1646 non-standard
line vty 0 4
password 7 23459287234
authorization exec my-authradius
login authentication myradius
In your radius config, define return list attributes that sets a user's
privilege level:
Service-Type: NAS-Prompt
Cisco-AVPAIR: shell:priv-lvl=15
If a user logs in via telnet, they will automatically be put into
privilege level 15 (enable mode). You can set the priv level for
individual users or groups of users. Then you can tune the privilege
level required for certain commands using the privilege command. |
|
|
| Back to top |
|
|
Mark Williams
Guest
|
| Posted: Tue Apr 25, 2006 4:50 pm Post subject: Re: secure acs: tacacs+ and radius together |
|
|
It may not be exactly what you are looking for, but you can do
privilege level authorization with RADIUS.
aaa new-model
aaa authentication login myradius group radius local
aaa authorization exec my-authradius group radius if-authenticated
radius-server host w.x.y.z auth-port 1645 acct-port 1646 non-standard
line vty 0 4
password 7 23459287234
authorization exec my-authradius
login authentication myradius
In your radius config, define return list attributes that sets a user's
privilege level:
Service-Type: NAS-Prompt
Cisco-AVPAIR: shell:priv-lvl=15
If a user logs in via telnet, they will automatically be put into
privilege level 15 (enable mode). You can set the priv level for
individual users or groups of users. Then you can tune the privilege
level required for certain commands using the privilege command. |
|
| Back to top |
|
|
Mark Williams
Guest
|
| Posted: Wed Apr 26, 2006 4:50 pm Post subject: Re: secure acs: tacacs+ and radius together |
|
|
Yes. You can fine-tune what priveledge level is required for which
commands on a per-switch basis using the privilege command in global
config mode. For example, if you wanted to require privilege level 7
for the command who, use the following
privilege exec level 7 who |
|
| Back to top |
|
|
psychogenic
Guest
|
| Posted: Thu Apr 27, 2006 2:50 pm Post subject: Re: secure acs: tacacs+ and radius together |
|
|
Mark Williams wrote:
| Quote: | Yes. You can fine-tune what priveledge level is required for which
commands on a per-switch basis using the privilege command in global
config mode. For example, if you wanted to require privilege level 7
for the command who, use the following
privilege exec level 7 who
|
Rats. That would suck though if I had to do this for 50 switches?  |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Private messages
Log in
