Cisco av-pair for NX-OS and IOS

Michael Schwartzkopff ms at
Fri Feb 8 08:53:18 CET 2013

Am Donnerstag, 7. Februar 2013, 23:51:34 schrieb Norman Zhang:
> Hi,
> Using freeradius2-2.1.12. I need to setup read-write access for both Cisco
> NX-OS and IOS devices. I did the following,
> DEFAULT Group == operator-rw, Auth-Type = System
>         Service-Type = NAS-Prompt-User,
>         cisco-avpair := "shell:roles*\"network-admin vdc-admin
> priv-lvl=15\""
> I can log into both NX-OS and IOS devices; however, IOS devices only
> permits exec mode not the privileged exec (enable) mode. Not sure if I'm
> doing something wrong on the syntax. Can someone give me few pointers?
> Norman


Please read

especially the section "Command Authorization", last paragraph.

Your configuration should work, but in a move by Cisco to make TACACS 
to RADIUS they compiled their IOS so that this AV pair does not work.

I have a feature request at Cisco to improve the situation. I am really 
looking forward when Cisco will implement it.



Michael Schwartzkopff

[*] sys4 AG, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list