Wagner Pereira <wpereira@pop-sp.rnp.br> wrote:
I hope that can help begginers to understand better how the AAA model works: http://twitpic.com/ru4za/full
And how I implemented that in my case.
I only see authentication and accounting in there but no authorisation, you need something like: ---- DEFAULT NAS-Identifier == switch, LDAP-Group == netref Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15" ---- Also the 'top' arrow should probably not say 'SSH session' but 'RADIUS traffic' or something. As a side note, I am pretty sure 'nastype' is deprecated. :) Now go show me why I use the following ;) ---- aaa group server radius lanwarden server 212.219.138.68 auth-port 1812 acct-port 1813 ip radius source-interface Loopback0 aaa authentication dot1x default group lanwarden aaa authorization network default group lanwarden aaa accounting dot1x default start-stop group lanwarden ---- If you are putting some documentation together, make sure you emphasis that there still need to be local accounts on the switch that are consulted *first* as when the RADIUS are unreachable (network routing issue for example) you will be unable to log into your switches: ---- aaa authentication login ssh local group login aaa authorization exec default local group login aaa authorization exec console none aaa accounting exec default start-stop group login ---- Good work never-the-less. Cheers -- Alexander Clouter .sigmonster says: buzzword, n: The fly in the ointment of computer literacy.