That's my AAA model
Alexander Clouter
alex at digriz.org.uk
Thu Dec 3 10:54:40 CET 2009
Wagner Pereira <wpereira at pop-sp.rnp.br> wrote:
>
> Thanks for cheered my model. It's updated now:
> http://twitpic.com/rumfq/full
>
> Should I write these lines
>
> DEFAULT NAS-Identifier == switch, LDAP-Group == netref
> Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15"
>
> in clients.conf file?
>
This is to go in the 'users' file and called from your 'authorize { }'
section typically with 'files'.
http://wiki.freeradius.org/CONFIGURATION_FILES#USERS
> By the way, this line
>
> aaa authentication login default group radius local
>
> that I have written in my Cisco IOS grants my log into it, I guess.
>
Should probably be:
----
aaa authentication login ssh local group radius
aaa authorization exec default local group radius
aaa authorization exec console none
aaa accounting exec default start-stop group radius
----
Then that way the *local* database of user(s) on the switch is consulted
first.
Cheers
--
Alexander Clouter
.sigmonster says: People don't change; they only become more so.
More information about the Freeradius-Users
mailing list