Cisco av-pair for NX-OS and IOS

Øystein Gyland oystegy at usit.uio.no
Thu Feb 14 12:44:37 CET 2013


On Thu, 2013-02-07 at 23:51 -0500, Norman Zhang wrote: 
> Hi,
> 
> Using freeradius2-2.1.12. I need to setup read-write access for both
> Cisco NX-OS and IOS devices. I did the following,
> 
> DEFAULT Group == operator-rw, Auth-Type = System
>         Service-Type = NAS-Prompt-User,
>         cisco-avpair := "shell:roles*\"network-admin vdc-admin
> priv-lvl=15\""
> 
> I can log into both NX-OS and IOS devices; however, IOS devices only
> permits exec mode not the privileged exec (enable) mode. Not sure if
> I'm doing something wrong on the syntax. Can someone give me few
> pointers?

I guess you should not concatenate the IOS and NX-OS attributes to a
single combined attribute. Also, "priv-lvl=15" should be
"shell:priv-lvl=15" I believe.

This should work:

DEFAULT Group == operator-rw, Auth-Type = System
	Cisco-AVPair+="shell:roles=network-admin vdc-admin",
	Cisco-AVPair+="shell:priv-lvl=15",
	Service-Type = NAS-Prompt-User

-Øystein








More information about the Freeradius-Users mailing list