Second level authentication..
Hi Ivan, What i meant is you type "enable" but the password you give should be authenticated by RADIUS server not the "enable password stored on the device". I am not sure whether it is possible or not. But just wanted to know from the experts. Thanks, Ashish On 7/19/07, freeradius-users-request@lists.freeradius.org < freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Second level authentication. (ashish verma) 2. Re: Second level authentication. (tnt@kalik.co.yu) 3. Re: TLS cant connect ldap+freeradius+novell (tnt@kalik.co.yu) 4. Re: Quirky question about rewriting usernames (Cliff Cole) 5. Re: Second level authentication. (Claudiu Filip) 6. Re: TLS cant connect ldap+freeradius+novell (Martin G)
----------------------------------------------------------------------
Message: 1 Date: Thu, 19 Jul 2007 22:21:30 +0530 From: "ashish verma" <ashish.scit@gmail.com> Subject: Second level authentication. To: freeradius-users@lists.freeradius.org Message-ID: <11b554120707190951xff545a5j9cb83a1a9b31835d@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1"
Hi Stefan,
I read the document and thanks for giving the link, that was helpful.
Well I think i put my question in a wrong way. Let me put it in a different way.
I dont want the user to go directly in priv mode. through priv level = 15 we direclty get into priv level right.
what i am looking for is first the user get into user level and then with another password in level 2. (not with enable password)..it should be through RADIUS server.
Ashish
On Fri 20 Jul 2007, ashish verma wrote:
Hi Ivan,
What i meant is you type "enable" but the password you give should be authenticated by RADIUS server not the "enable password stored on the device". I am not sure whether it is possible or not. But just wanted to know from the experts.
Are you even reading the replies that people send you? The is the 3rd time we are giving you the same link. Stop. Drink a coffee and read: http://wiki.freeradius.org/Cisco If you don't understand it, READ IT AGAIN! -- Peter Nixon http://peternixon.net/
Dana 20/7/2007, "ashish verma" <ashish.scit@gmail.com> piše: av> I dont want the user to go directly in priv mode. av> through priv level = 15 we direclty get into priv level right. av> what i am looking for is first the user get into user level and av> then with av> another av> password in level 2. (not with enable password)..it should be av> through RADIUS av> server
Hi Ivan,
What i meant is you type "enable" but the password you give should be authenticated by RADIUS server not the "enable password stored on the device". I am not sure whether it is possible or not. But just wanted to know from the experts.
Thanks, Ashish
OK. I'm done with flaming, let's go over thing you can and can't do: - you can store enable passwords on the radius server instead of locally - you can't use radius and not use machine-specific enable password [av>"(not with enable password)"] - you can use radius as a single step authentication method to give users access to privileged mode directly by returning priv-lvl attribute in their profile (leave out priv-lvl attribute if you don't want them to have privileged access) - you can't use single authetication method and have different passwords for different access levels *unless* enable password is machine-specific (ie. same one for all users) - if you different passwords for user and prevelege modes you will need to use two different authentication methods (radius and tacacs+): aaa authentication login default group radius aaa authentication enable default group tacacs+ Now user will log onto the device with his radius password and he will be prompted for username/password by tacacs when he types enable. I don't think that you can use authorization (aaa authorization exec ...) in this scenario. You have to return priv-lvl 15 for enable to gain privileged access but that authorization will be passed onto login users as well (you cant split user exec and privileged exec authorization, at least I don't know a way) giving them privileged access straight away and defeating the second level authentication. And I can't predict how well would things work without authorization. My guess is that they will but you won't be able to return any parameters to the user (no privilege or command restrictions etc.). Ivan Kalik Kalik Informatika ISP
----- Original Message ----- From: <tnt@kalik.co.yu> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Friday, July 20, 2007 4:07 AM Subject: Re: Second level authentication.. Dana 20/7/2007, "ashish verma" <ashish.scit@gmail.com> piše: av> I dont want the user to go directly in priv mode. av> through priv level = 15 we direclty get into priv level right. av> what i am looking for is first the user get into user level and av> then with av> another av> password in level 2. (not with enable password)..it should be av> through RADIUS av> server
Hi Ivan,
What i meant is you type "enable" but the password you give should be authenticated by RADIUS server not the "enable password stored on the device". I am not sure whether it is possible or not. But just wanted to know from the experts.
Thanks, Ashish
OK. I'm done with flaming, let's go over thing you can and can't do: - you can store enable passwords on the radius server instead of locally - you can't use radius and not use machine-specific enable password [av>"(not with enable password)"] - you can use radius as a single step authentication method to give users access to privileged mode directly by returning priv-lvl attribute in their profile (leave out priv-lvl attribute if you don't want them to have privileged access) - you can't use single authetication method and have different passwords for different access levels *unless* enable password is machine-specific (ie. same one for all users) - if you different passwords for user and prevelege modes you will need to use two different authentication methods (radius and tacacs+): aaa authentication login default group radius aaa authentication enable default group tacacs+ Now user will log onto the device with his radius password and he will be prompted for username/password by tacacs when he types enable. I don't think that you can use authorization (aaa authorization exec ...) in this scenario. You have to return priv-lvl 15 for enable to gain privileged access but that authorization will be passed onto login users as well (you cant split user exec and privileged exec authorization, at least I don't know a way) giving them privileged access straight away and defeating the second level authentication. And I can't predict how well would things work without authorization. My guess is that they will but you won't be able to return any parameters to the user (no privilege or command restrictions etc.). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Andy Zerger -
ashish verma -
Peter Nixon -
tnt@kalik.co.yu