overlapping cisco avpairs (UCS+IOS)

Phil Mayers p.mayers at imperial.ac.uk
Wed Mar 6 12:41:55 CET 2013


On 06/03/13 11:28, Øystein Gyland wrote:
> On 03/06/2013 03:21 AM, Jimmy Stewpot wrote:
>> Hello,
>>
>> We have always had the Cisco-AVPAIR of "shell:priv-lvl=15" which has
>> been working for some time. With the Cisco UCS platform we need to
>> introduce an additional shell: variable which looks like this
>> "shell:roles=admin".
>
> Your mileage may vary, but as the "Cisco-AvPair=shell:priv-lvl=15" is
> equivalent to "Service-Type = Administrative-User" this might work:
>
> DEFAULT LDAP-Group == "Network Full Access"
>      Service-Type := Administrative-User
>      Cisco-AVpair +="shell:roles=admin"

Another option is to use a Huntgroup or similar to conditionally return 
specific attributes e.g.

raddb/huntgroups:

NXOS	NAS-IP-Address == 192.0.2.1
NXOS	NAS-IP-Address == 192.0.2.2

IOS	NAS-IP-Address == 192.0.2.3


raddb/users:

DEFAULT	Huntgroup-Name == NXOS, Ldap-Group == "Network Full Access"
	Cisco-AVPAIR = "shell:roles=admin"

DEFAULT	Huntgroup-Name == IOS, Ldap-Group == "Network Full Access"
	Cisco-AVPAIR = "shell:priv-lvl=15"

The "huntgroups" file is read by the "preprocess" module IIRC so make 
sure that module is loaded. You can of course use something other than 
huntgroups - anything that identifies what type of NAS it is (e.g. an 
SQL lookup, LDAP, etc.)


More information about the Freeradius-Users mailing list