cisco device enable authentication via radius/ldap
Les Stott
Less at imagine-sw.com
Tue Dec 10 02:36:18 CET 2013
Hi,
I have a Freeradius Server in front of a FreeIPA backend configured to do LDAP Authentication via group. This works fine. I can login to my cisco switch as an ordinary user (who belongs to an ldap group cisco_admins) in user exec mode. Users in this group are assigned privilege level 15.
/etc/raddb/users
DEFAULT Ldap-Group == "cn=cisco_admins,cn=groups,cn=accounts,dc=mydomain,dc=com"
Reply-Message="You have been authenticated",
Auth-Type := System,
Service-Type = "NAS-Prompt-User",
Cisco-AVPair = "shell:priv-lvl=15",
Fall-Through = No
I figured out that I'd need to rewrite $enab15$ to have enable passwords authenticated via ldap also. This is working fine too.
/etc/raddb/modules/attr_rewrite
# Rewrite Usernames for enable mode on Cisco
attr_rewrite rewriteenablemodeuser {
attribute = User-Name
searchin = packet
searchfor = ".enab15."
replacewith = "admin"
append = no
However this means that, for this configuration, I need to use the "admin" user password in ldap to enter enable mode.
While I can authenticate as admin to access enable mode I was hoping for a way to be able to authenticate via an ordinary user for enable mode. i.e. normal user uses the same password for user mode and enable mode.
Is there a way that the attr_rewrite can be something like...
Repalcewith = "current_id_of_user"
Or is there another way?
Thanks,
Les
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131210/0553e69d/attachment.html>
More information about the Freeradius-Users
mailing list