FreeRadius - Cisco - Different privileges levels based on source device sending the Access-Request.
BJulin at clarku.edu
Fri Jun 15 06:09:29 CEST 2018
Laurent Dumont <ldumont at northernsysadmin.com> wrote:
> Is there a way that the Access-Request can send additional attributes
> like hostnames, IOS versions or anything specific to the end device
> where the auth attempts starts?
There are various tweaks you can make that allow sending a few
extra attributes. One is NAS-Identifier, and you can configure what it sends:
>From the IOS docs:
radius-server attribute 32 include-in-access-req format cisco %h.%d %i
! The following string will be sent in attribute 32 (NAS-Identifier).
"cisco router.nlab.cisco.com 10.0.1.67"
...this attribute is also VERY handy for logging purposes.
> There are ways that the privilege level can match different permissions
> but those change means that each device will need to have the correct
> local configuration and I'd rather manage everything centrally ideally.
Failing the NAS-Identifier, the NAS-Port attribute may have a different format
based on model. However, since these are admin logins, rather than network
port access, the odds are low that you'd be able to use that without configuring
something special on the special devices to alter the format of that attribute, which
runs counter to your objective to keep your configs uniform to reduce your
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users