overlapping cisco avpairs (UCS+IOS)
Øystein Gyland
oystegy at usit.uio.no
Wed Mar 6 12:28:16 CET 2013
On 03/06/2013 03:21 AM, Jimmy Stewpot wrote:
> Hello,
>
> We have always had the Cisco-AVPAIR of "shell:priv-lvl=15" which has been working for some time. With the Cisco UCS platform we need to introduce an additional shell: variable which looks like this "shell:roles=admin".
Your mileage may vary, but as the "Cisco-AvPair=shell:priv-lvl=15" is
equivalent to "Service-Type = Administrative-User" this might work:
DEFAULT LDAP-Group == "Network Full Access"
Service-Type := Administrative-User
Cisco-AVpair +="shell:roles=admin"
This seems to work on Nexus switches (VSA based attributes) and IOS
12.2/12.3 based Catalyst switches. It breaks authorization on IOS 12.1.
-Øystein
More information about the Freeradius-Users
mailing list