Matthew Ceroni wrote:
Right now I have a solution for the case where one set of switches use the Radius server for 802.1x and another set of switches just use the radius server for authentication. For this I used huntgroups and added the following section to my users file:
DEFAULT LDAP-GROUP == "IT.Americas_sec", Huntgroup-Name = switchAuth Service-Type = Administrative-User, cisco-avpair = "shell:priv-lvl=15",
Which gives people admin access if (1) they're in the LDAP-Group, and (b) if they're in the Hutgroup. Note that it doesn't check if they *asked* for admin access!
That allows only people in the IT.Americas_sec to authenticate on the switch (and sets their privilege level to 15).
The huntgroup specifies the IP addresses of the switches that use the radius server for authentication.
Yes.
But this solution won't work when a switch does both 802.1x and uses the radius server for authentication.
What is the best way to accomplish this?
Add an additional check. Add a check for the Service-Type in the first line, too. DEFAULT Service-Type == Administrastive-User, LDAP-GROUP == "IT.Americas_sec", Huntgroup-Name = switchAuth Service-Type = Administrative-User, cisco-avpair = "shell:priv-lvl=15" Alan DeKok.