FreeRadius - Cisco - Different privileges levels based on source device sending the Access-Request.
ldumont at northernsysadmin.com
Fri Jun 15 02:01:13 CEST 2018
We are currently experimenting with Radius and are looking to find a way
to change the privilege levels when logging into a certain class of
devices(and only these ones). Right now, we have the following setup.
1. Users attempts to log into a Cisco radius enable device.
2. Device starts the auth process with an Access-Request.
3. Freeradius checks the LDAP/FreeIPA backend and sends the reply with
the VSA "“cisco-avpair" for the correct privilege level based on
LDAP group membership.
This works great but I'm looking for a way to change the returned
privilege level based on the source device.
Is there a way that the Access-Request can send additional attributes
like hostnames, IOS versions or anything specific to the end device
where the auth attempts starts?
There are ways that the privilege level can match different permissions
but those change means that each device will need to have the correct
local configuration and I'd rather manage everything centrally ideally.
More information about the Freeradius-Users