Cisco command authorization
Alan DeKok
aland at deployingradius.com
Fri Jan 4 18:33:14 CET 2008
Stefan Winter wrote:
...
> These two are the ONLY ones. Since it's just about parsing the string content
> of cisco-avpair at the router side, there is absolutely no technical reason
> why these two wouldn't go through. The only explanation then is that this is
> a deliberate step by Cisco to make sure that TACACS+ is "superior" to RADIUS
> by arbitrarily cutting down functionality. Probably the code in IOS is larger
> with an exception handling to make sure that it doesn't work.
Yes. It's exactly what Cisco wants.
> I must say: I'm pissed. But I hope I could at least clarify this topic.
>
> My next-best approach to circumvent this would be to define an intermediate
> privilege level that only has the permission to do the commands in question,
> and only assign the users in question to that lower priv-level. Scales
> poorly, but enough for us. Maybe that approach serves some others as well.
Or, use a tacacs+ to RADIUS gateway. Or, integrate Tacacs+ support
into FreeRADIUS. If we had TCP as a transport layer, adding tacacs+
would be relatively easy. :)
Alan DeKok.
More information about the Freeradius-Users
mailing list