That's my AAA model
Alexander Clouter
alex at digriz.org.uk
Wed Dec 2 17:14:53 CET 2009
Wagner Pereira <wpereira at pop-sp.rnp.br> wrote:
>
> I hope that can help begginers to understand better how the AAA model
> works: http://twitpic.com/ru4za/full
>
> And how I implemented that in my case.
>
I only see authentication and accounting in there but no authorisation,
you need something like:
----
DEFAULT NAS-Identifier == switch, LDAP-Group == netref
Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15"
----
Also the 'top' arrow should probably not say 'SSH session' but 'RADIUS
traffic' or something.
As a side note, I am pretty sure 'nastype' is deprecated. :)
Now go show me why I use the following ;)
----
aaa group server radius lanwarden
server 212.219.138.68 auth-port 1812 acct-port 1813
ip radius source-interface Loopback0
aaa authentication dot1x default group lanwarden
aaa authorization network default group lanwarden
aaa accounting dot1x default start-stop group lanwarden
----
If you are putting some documentation together, make sure you emphasis
that there still need to be local accounts on the switch that are
consulted *first* as when the RADIUS are unreachable (network routing
issue for example) you will be unable to log into your switches:
----
aaa authentication login ssh local group login
aaa authorization exec default local group login
aaa authorization exec console none
aaa accounting exec default start-stop group login
----
Good work never-the-less.
Cheers
--
Alexander Clouter
.sigmonster says: buzzword, n:
The fly in the ointment of computer literacy.
More information about the Freeradius-Users
mailing list