FreeRadius - Cisco - Different privileges levels based on source device sending the Access-Request.

Coy Hile coy.hile at
Fri Jun 15 02:36:10 CEST 2018

> On Jun 14, 2018, at 8:01 PM, Laurent Dumont <ldumont at> wrote:
> Hi everyone.
> We are currently experimenting with Radius and are looking to find a way to change the privilege levels when logging into a certain class of devices(and only these ones). Right now, we have the following setup.
> 1. Users attempts to log into a Cisco radius enable device.
> 2. Device starts the auth process with an Access-Request.
> 3. Freeradius checks the LDAP/FreeIPA backend and sends the reply with
>   the VSA "“cisco-avpair" for the correct privilege level based on
>   LDAP group membership.

That’s exactly how I would implement it. Based on a tuple (user, Device) or (userGroup, DeviceGroup), the LDAP server knows based on group memberships which user group(s) the user is in. Same for the device.  Query on the backend from most privilege to least. Most specific (User, Device), then (User, Device Group), (UserGroup, device), and finally (UserGroup, DeviceGroup). First most-specific match wins.

You could ostensibly have an employee joe who is a network admin, so he gets cisco:shell-level=15 in each set of devices, but the last time he touched the core route reflectors, he broke the world, so you then define a privilege record (in LDAP) that specifically has (Joe, NoAccess).

Coy Hile
coy.hile at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list