Alexander, Thanks for cheered my model. It's updated now: http://twitpic.com/rumfq/full Should I write these lines DEFAULT NAS-Identifier == switch, LDAP-Group == netref Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15" in clients.conf file? By the way, this line aaa authentication login default group radius local that I have written in my Cisco IOS grants my log into it, I guess. -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br Fone@RNP 1015-8902 Alexander Clouter escreveu:
Wagner Pereira <wpereira@pop-sp.rnp.br> wrote:
I hope that can help begginers to understand better how the AAA model works: http://twitpic.com/ru4za/full
And how I implemented that in my case.
I only see authentication and accounting in there but no authorisation, you need something like: ---- DEFAULT NAS-Identifier == switch, LDAP-Group == netref Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15" ----
Also the 'top' arrow should probably not say 'SSH session' but 'RADIUS traffic' or something.
As a side note, I am pretty sure 'nastype' is deprecated. :)
Now go show me why I use the following ;) ---- aaa group server radius lanwarden server 212.219.138.68 auth-port 1812 acct-port 1813 ip radius source-interface Loopback0
aaa authentication dot1x default group lanwarden aaa authorization network default group lanwarden aaa accounting dot1x default start-stop group lanwarden ----
If you are putting some documentation together, make sure you emphasis that there still need to be local accounts on the switch that are consulted *first* as when the RADIUS are unreachable (network routing issue for example) you will be unable to log into your switches: ---- aaa authentication login ssh local group login aaa authorization exec default local group login aaa authorization exec console none aaa accounting exec default start-stop group login ----
Good work never-the-less.
Cheers