overlapping cisco avpairs (UCS+IOS)

Øystein Gyland oystegy at usit.uio.no
Wed Mar 6 12:28:16 CET 2013

On 03/06/2013 03:21 AM, Jimmy Stewpot wrote:
> Hello,
> We have always had the Cisco-AVPAIR of "shell:priv-lvl=15" which has been working for some time. With the Cisco UCS platform we need to introduce an additional shell: variable which looks like this "shell:roles=admin".

Your mileage may vary, but as the "Cisco-AvPair=shell:priv-lvl=15" is 
equivalent to "Service-Type = Administrative-User" this might work:

DEFAULT LDAP-Group == "Network Full Access"
	Service-Type := Administrative-User
	Cisco-AVpair +="shell:roles=admin"
This seems to work on Nexus switches (VSA based attributes) and IOS 
12.2/12.3 based Catalyst switches. It breaks authorization on IOS 12.1.


More information about the Freeradius-Users mailing list