overlapping cisco avpairs (UCS+IOS)
Phil Mayers
p.mayers at imperial.ac.uk
Wed Mar 6 12:41:55 CET 2013
On 06/03/13 11:28, Øystein Gyland wrote:
> On 03/06/2013 03:21 AM, Jimmy Stewpot wrote:
>> Hello,
>>
>> We have always had the Cisco-AVPAIR of "shell:priv-lvl=15" which has
>> been working for some time. With the Cisco UCS platform we need to
>> introduce an additional shell: variable which looks like this
>> "shell:roles=admin".
>
> Your mileage may vary, but as the "Cisco-AvPair=shell:priv-lvl=15" is
> equivalent to "Service-Type = Administrative-User" this might work:
>
> DEFAULT LDAP-Group == "Network Full Access"
> Service-Type := Administrative-User
> Cisco-AVpair +="shell:roles=admin"
Another option is to use a Huntgroup or similar to conditionally return
specific attributes e.g.
raddb/huntgroups:
NXOS NAS-IP-Address == 192.0.2.1
NXOS NAS-IP-Address == 192.0.2.2
IOS NAS-IP-Address == 192.0.2.3
raddb/users:
DEFAULT Huntgroup-Name == NXOS, Ldap-Group == "Network Full Access"
Cisco-AVPAIR = "shell:roles=admin"
DEFAULT Huntgroup-Name == IOS, Ldap-Group == "Network Full Access"
Cisco-AVPAIR = "shell:priv-lvl=15"
The "huntgroups" file is read by the "preprocess" module IIRC so make
sure that module is loaded. You can of course use something other than
huntgroups - anything that identifies what type of NAS it is (e.g. an
SQL lookup, LDAP, etc.)
More information about the Freeradius-Users
mailing list