Second level authentication..

tnt at kalik.co.yu tnt at kalik.co.yu
Fri Jul 20 12:07:54 CEST 2007


Dana 20/7/2007, "ashish verma" <ashish.scit at gmail.com> piše:

av> I dont want the user to go directly in priv mode.
av> through priv level = 15 we direclty get into priv level right.

av> what i am looking for is first the user get into user level and
av> then with
av> another
av> password in level 2. (not with enable password)..it should be
av> through RADIUS
av> server
>Hi Ivan,
>
>What i meant is you type "enable" but the password you give should be
>authenticated by RADIUS server not the "enable password stored on the
>device".
>I am not sure whether it is possible or not. But just wanted to know from
>the experts.
>
>Thanks,
>Ashish
>
OK. I'm done with flaming, let's go over thing you can and can't do:

- you can store enable passwords on the radius server instead of locally

- you can't use radius and not use machine-specific enable password
[av>"(not with enable password)"]

- you can use radius as a single step authentication method to give users
access to privileged mode directly by returning priv-lvl attribute in
their profile (leave out priv-lvl attribute if you don't want them to
have privileged access)

- you can't use single authetication method and have different passwords
for different access levels *unless* enable password is machine-specific
(ie. same one for all users)

- if you different passwords for user and prevelege modes you will need
to use two different authentication methods (radius and tacacs+):

aaa authentication login default group radius
aaa authentication enable default group tacacs+

Now user will log onto the device with his radius password and he will be
prompted for username/password by tacacs when he types enable. I don't
think that you can use authorization (aaa authorization exec ...) in
this scenario. You have to return priv-lvl 15 for enable to gain
privileged access but that authorization will be passed onto login users
as well (you cant split user exec and privileged exec authorization, at
least I don't know a way) giving them privileged access straight away
and defeating the second level authentication. And I can't predict how
well would things work without authorization. My guess is that they will
but you won't be able to return any parameters to the user (no
privilege or command restrictions etc.).

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list