FreeRadius - Cisco - Different privileges levels based on source device sending the Access-Request.

Laurent Dumont ldumont at
Fri Jun 15 02:01:13 CEST 2018

Hi everyone.

We are currently experimenting with Radius and are looking to find a way 
to change the privilege levels when logging into a certain class of 
devices(and only these ones). Right now, we have the following setup.

 1. Users attempts to log into a Cisco radius enable device.
 2. Device starts the auth process with an Access-Request.
 3. Freeradius checks the LDAP/FreeIPA backend and sends the reply with
    the VSA "“cisco-avpair" for the correct privilege level based on
    LDAP group membership.

This works great but I'm looking for a way to change the returned 
privilege level based on the source device.

Is there a way that the Access-Request can send additional attributes 
like hostnames, IOS versions or anything specific to the end device 
where the auth attempts starts?

There are ways that the privilege level can match different permissions 
but those change means that each device will need to have the correct 
local configuration and I'd rather manage everything centrally ideally.

Thank you!

More information about the Freeradius-Users mailing list