That's my AAA model

Alexander Clouter alex at digriz.org.uk
Wed Dec 2 17:14:53 CET 2009


Wagner Pereira <wpereira at pop-sp.rnp.br> wrote:
> 
> I hope that can help begginers to understand better how the AAA model 
> works: http://twitpic.com/ru4za/full
> 
> And how I implemented that in my case.
> 
I only see authentication and accounting in there but no authorisation, 
you need something like:
----
DEFAULT NAS-Identifier == switch, LDAP-Group == netref
        Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15"
----

Also the 'top' arrow should probably not say 'SSH session' but 'RADIUS 
traffic' or something.

As a side note, I am pretty sure 'nastype' is deprecated. :)

Now go show me why I use the following ;)
----
aaa group server radius lanwarden
 server 212.219.138.68 auth-port 1812 acct-port 1813
 ip radius source-interface Loopback0

aaa authentication dot1x default group lanwarden
aaa authorization network default group lanwarden 
aaa accounting dot1x default start-stop group lanwarden
----

If you are putting some documentation together, make sure you emphasis 
that there still need to be local accounts on the switch that are 
consulted *first* as when the RADIUS are unreachable (network routing 
issue for example) you will be unable to log into your switches:
----
aaa authentication login ssh local group login
aaa authorization exec default local group login 
aaa authorization exec console none 
aaa accounting exec default start-stop group login
----

Good work never-the-less.

Cheers

-- 
Alexander Clouter
.sigmonster says: buzzword, n:
                  	The fly in the ointment of computer literacy.




More information about the Freeradius-Users mailing list