overlapping cisco avpairs (UCS+IOS)

Jimmy Stewpot mailers at oranged.to
Wed Mar 6 03:21:54 CET 2013


For some time we have been using freeradius to provide authentication to our networking estate. Recently we introduced the Cisco UCS. The problem that we now have is it appears that we have a conflict in the VSA attributes required to provide the right levels of access to end users.

We have always had the Cisco-AVPAIR of "shell:priv-lvl=15" which has been working for some time. With the Cisco UCS platform we need to introduce an additional shell: variable which looks like this "shell:roles=admin". I have tried to add the variables to our users file with a += but the values are never accepted by the end Cisco device. It seems that only the first-to-be-received is actually activated on the Cisco device. I have bene playing around with various formats in the users file without any success. I am interested to know if anyone else has had such issues and if so what the solution is?

I am currently running with Freeradius v2.1.12 provided as a part of the Redhat EL6 distro. We have our users in an Active Directory tree using the ldap plugin.

our users file looks like this currently.

DEFAULT LDAP-Group == "Network Full Access"

I've tried the following

DEFAULT LDAP-Group == "Network Full Access"
  Cisco-AVPAIR="shell:priv-lvl=15, roles=admin"

- Fails.. both networking and UCS result in read-only or no access.

DEFAULT LDAP-Group == "Network Full Access"

- Fails.. both networking and UCS result in read-only or no access.

DEFAULT LDAP-Group == "Network Full Access"

- Works with the switch/router estate but not with UCS.

If i do a debug on the device it always matches the first entry in the returned attributes and discards the second. If I remove the priv-lvl=15 and only have shell:roles=admin and it works for UCS but the switch and router estate fails. Any assistance would be greatly appreciated.



More information about the Freeradius-Users mailing list