Ignore this. I just figured out I don’t need it.
I didn’t realise that Cisco-AVPair = "shell:priv-lvl=15" wasn’t actually working on login for me because I didn’t have …
Aaa authorization console
In my switch config and I was testing everything from console. Now, ldap users login as privilege level 15, straight in enable mode.
Regards,
Les
From: freeradius-users-bounces+less=imagine-sw.com@lists.freeradius.org
[mailto:freeradius-users-bounces+less=imagine-sw.com@lists.freeradius.org] On Behalf Of
Les Stott
Sent: Tuesday, 10 December 2013 12:36 PM
To: freeradius-users@lists.freeradius.org
Subject: cisco device enable authentication via radius/ldap
Hi,
I have a Freeradius Server in front of a FreeIPA backend configured to do LDAP Authentication via group. This works fine. I can login to my cisco switch as an ordinary user (who belongs to an ldap group cisco_admins) in user exec mode.
Users in this group are assigned privilege level 15.
/etc/raddb/users
DEFAULT Ldap-Group == "cn=cisco_admins,cn=groups,cn=accounts,dc=mydomain,dc=com"
Reply-Message="You have been authenticated",
Auth-Type := System,
Service-Type = "NAS-Prompt-User",
Cisco-AVPair = "shell:priv-lvl=15",
Fall-Through = No
I figured out that I’d need to rewrite $enab15$ to have enable passwords authenticated via ldap also. This is working fine too.
/etc/raddb/modules/attr_rewrite
# Rewrite Usernames for enable mode on Cisco
attr_rewrite rewriteenablemodeuser {
attribute = User-Name
searchin = packet
searchfor = ".enab15."
replacewith = "admin"
append = no
However this means that, for this configuration, I need to use the “admin” user password in ldap to enter enable mode.
While I can authenticate as admin to access enable mode I was hoping for a way to be able to authenticate via an ordinary user for enable mode. i.e. normal user uses the same password for user mode and enable mode.
Is there a way that the attr_rewrite can be something like…
Repalcewith = “current_id_of_user”
Or is there another way?
Thanks,
Les