cisco device enable authentication via radius/ldap

Les Stott Less at imagine-sw.com
Wed Dec 11 00:20:52 CET 2013 

Ignore this. I just figured out I don't need it.

I didn't realise that Cisco-AVPair = "shell:priv-lvl=15" wasn't actually working on login for me because I didn't have ...

Aaa authorization console

In my switch config and I was testing everything from console. Now, ldap users login as privilege level 15, straight in enable mode.

Regards,

Les

From: freeradius-users-bounces+less=imagine-sw.com at lists.freeradius.org [mailto:freeradius-users-bounces+less=imagine-sw.com at lists.freeradius.org] On Behalf Of Les Stott
Sent: Tuesday, 10 December 2013 12:36 PM
To: freeradius-users at lists.freeradius.org
Subject: cisco device enable authentication via radius/ldap

Hi,

I have a Freeradius Server in front of a FreeIPA backend configured to do LDAP Authentication via group. This works fine. I can login to my cisco switch as an ordinary user (who belongs to an ldap group cisco_admins) in user exec mode. Users in this group are assigned privilege level 15.

/etc/raddb/users

DEFAULT Ldap-Group == "cn=cisco_admins,cn=groups,cn=accounts,dc=mydomain,dc=com"
        Reply-Message="You have been authenticated",
        Auth-Type := System,
        Service-Type = "NAS-Prompt-User",
        Cisco-AVPair = "shell:priv-lvl=15",
        Fall-Through = No


I figured out that I'd need to rewrite $enab15$ to have enable passwords authenticated via ldap also. This is working fine too.

/etc/raddb/modules/attr_rewrite

# Rewrite Usernames for enable mode on Cisco

attr_rewrite rewriteenablemodeuser {
attribute = User-Name
searchin = packet
searchfor = ".enab15."
replacewith = "admin"
append = no

However this means that, for this configuration, I need to use the "admin" user password in ldap to enter enable mode.

While I can authenticate as admin to access enable mode I was hoping for a way to be able to authenticate via an ordinary user for enable mode. i.e. normal user uses the same password for user mode and enable mode.

Is there a way that the attr_rewrite can be something like...

Repalcewith = "current_id_of_user"

Or is there another way?

Thanks,

Les
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131210/1dcf467f/attachment.html>

More information about the Freeradius-Users mailing list