That's my AAA model
Wagner Pereira
wpereira at pop-sp.rnp.br
Wed Dec 2 18:30:39 CET 2009
Alexander,
Thanks for cheered my model. It's updated now: http://twitpic.com/rumfq/full
Should I write these lines
DEFAULT NAS-Identifier == switch, LDAP-Group == netref
Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15"
in clients.conf file?
By the way, this line
aaa authentication login default group radius local
that I have written in my Cisco IOS grants my log into it, I guess.
--
Wagner Pereira
PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
http://www.pop-sp.rnp.br
Fone at RNP 1015-8902
Alexander Clouter escreveu:
> Wagner Pereira <wpereira at pop-sp.rnp.br> wrote:
>
>> I hope that can help begginers to understand better how the AAA model
>> works: http://twitpic.com/ru4za/full
>>
>> And how I implemented that in my case.
>>
>>
> I only see authentication and accounting in there but no authorisation,
> you need something like:
> ----
> DEFAULT NAS-Identifier == switch, LDAP-Group == netref
> Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15"
> ----
>
> Also the 'top' arrow should probably not say 'SSH session' but 'RADIUS
> traffic' or something.
>
> As a side note, I am pretty sure 'nastype' is deprecated. :)
>
> Now go show me why I use the following ;)
> ----
> aaa group server radius lanwarden
> server 212.219.138.68 auth-port 1812 acct-port 1813
> ip radius source-interface Loopback0
>
> aaa authentication dot1x default group lanwarden
> aaa authorization network default group lanwarden
> aaa accounting dot1x default start-stop group lanwarden
> ----
>
> If you are putting some documentation together, make sure you emphasis
> that there still need to be local accounts on the switch that are
> consulted *first* as when the RADIUS are unreachable (network routing
> issue for example) you will be unable to log into your switches:
> ----
> aaa authentication login ssh local group login
> aaa authorization exec default local group login
> aaa authorization exec console none
> aaa accounting exec default start-stop group login
> ----
>
> Good work never-the-less.
>
> Cheers
>
>
More information about the Freeradius-Users
mailing list