Cisco av-pair for NX-OS and IOS

Michael Schwartzkopff ms at sys4.de
Fri Feb 8 08:53:18 CET 2013


Am Donnerstag, 7. Februar 2013, 23:51:34 schrieb Norman Zhang:
> Hi,
> 
> Using freeradius2-2.1.12. I need to setup read-write access for both Cisco
> NX-OS and IOS devices. I did the following,
> 
> DEFAULT Group == operator-rw, Auth-Type = System
>         Service-Type = NAS-Prompt-User,
>         cisco-avpair := "shell:roles*\"network-admin vdc-admin
> priv-lvl=15\""
> 
> I can log into both NX-OS and IOS devices; however, IOS devices only
> permits exec mode not the privileged exec (enable) mode. Not sure if I'm
> doing something wrong on the syntax. Can someone give me few pointers?
> 
> Norman

Hi,

Please read http://wiki.freeradius.org/vendor/Cisco


especially the section "Command Authorization", last paragraph.

Your configuration should work, but in a move by Cisco to make TACACS 
superior 
to RADIUS they compiled their IOS so that this AV pair does not work.

I have a feature request at Cisco to improve the situation. I am really 
looking forward when Cisco will implement it.

Greetings,

-- 

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130208/b18de5c2/attachment-0001.html>


More information about the Freeradius-Users mailing list