"Mike May" <mmay3@nd.edu> wrote:
After the authn I set some authz like Cisco-AVPair = "priv-lvl=15" used by Cisco routers and switches for network engineers who live in the proper LDAP group, here is where the problem is. PIX firewalls do not like me setting the priv lvl, and the reason is that the PIX will only accept authz from a tacacs server(it seems like).
So.. don't specify that for the PIX firewall, *or* add it only for the non-PIX machines.
What I need to do is specify a "netauth" == NAS-IP-ADDRESS 192.168.20.0/23 subnet. Instead of "netauth" == NAS-IP-ADDRESS 192.168.20.15, this way I can use my users file and not set the Cisco priv lvl for those devices that live on the firewall subnets.
You can match IP's via regular expressions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog