cisco device enable authentication via radius/ldap

Les Stott Less at imagine-sw.com
Tue Dec 10 02:36:18 CET 2013


Hi,

I have a Freeradius Server in front of a FreeIPA backend configured to do LDAP Authentication via group. This works fine. I can login to my cisco switch as an ordinary user (who belongs to an ldap group cisco_admins) in user exec mode. Users in this group are assigned privilege level 15.

/etc/raddb/users

DEFAULT Ldap-Group == "cn=cisco_admins,cn=groups,cn=accounts,dc=mydomain,dc=com"
        Reply-Message="You have been authenticated",
        Auth-Type := System,
        Service-Type = "NAS-Prompt-User",
        Cisco-AVPair = "shell:priv-lvl=15",
        Fall-Through = No


I figured out that I'd need to rewrite $enab15$ to have enable passwords authenticated via ldap also. This is working fine too.

/etc/raddb/modules/attr_rewrite

# Rewrite Usernames for enable mode on Cisco

attr_rewrite rewriteenablemodeuser {
attribute = User-Name
searchin = packet
searchfor = ".enab15."
replacewith = "admin"
append = no

However this means that, for this configuration, I need to use the "admin" user password in ldap to enter enable mode.

While I can authenticate as admin to access enable mode I was hoping for a way to be able to authenticate via an ordinary user for enable mode. i.e. normal user uses the same password for user mode and enable mode.

Is there a way that the attr_rewrite can be something like...

Repalcewith = "current_id_of_user"

Or is there another way?

Thanks,

Les
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131210/0553e69d/attachment.html>


More information about the Freeradius-Users mailing list