secure acs: tacacs+ and radius together

Discussion in 'Cisco' started by psychogenic, Apr 25, 2006.

  1. psychogenic

    psychogenic Guest

    Has anyone succesfully implemented secure acs using both radius and
    tacacs+ without the need to have two differernt servers? I'm planning
    to rollout dot1x (which requires authentication to be done via radius)
    but I also want command authorization from tacacs+ which I can't seem
    to emulate with radius.

    Thanks.
     
    psychogenic, Apr 25, 2006
    #1
    1. Advertising

  2. It may not be exactly what you are looking for, but you can do
    privilege level authorization with RADIUS.

    aaa new-model
    aaa authentication login myradius group radius local
    aaa authorization exec my-authradius group radius if-authenticated
    radius-server host w.x.y.z auth-port 1645 acct-port 1646 non-standard

    line vty 0 4
    password 7 23459287234
    authorization exec my-authradius
    login authentication myradius

    In your radius config, define return list attributes that sets a user's
    privilege level:

    Service-Type: NAS-Prompt
    Cisco-AVPAIR: shell:priv-lvl=15

    If a user logs in via telnet, they will automatically be put into
    privilege level 15 (enable mode). You can set the priv level for
    individual users or groups of users. Then you can tune the privilege
    level required for certain commands using the privilege command.
     
    Mark Williams, Apr 25, 2006
    #2
    1. Advertising

  3. psychogenic

    psychogenic Guest

    Hi Mark,

    Thanks. Yes, I saw that with radius. However, I didn't know you can
    fine tune it. Is this done on the local switch itself?

    Mark Williams wrote:
    > It may not be exactly what you are looking for, but you can do
    > privilege level authorization with RADIUS.
    >
    > aaa new-model
    > aaa authentication login myradius group radius local
    > aaa authorization exec my-authradius group radius if-authenticated
    > radius-server host w.x.y.z auth-port 1645 acct-port 1646 non-standard
    >
    > line vty 0 4
    > password 7 23459287234
    > authorization exec my-authradius
    > login authentication myradius
    >
    > In your radius config, define return list attributes that sets a user's
    > privilege level:
    >
    > Service-Type: NAS-Prompt
    > Cisco-AVPAIR: shell:priv-lvl=15
    >
    > If a user logs in via telnet, they will automatically be put into
    > privilege level 15 (enable mode). You can set the priv level for
    > individual users or groups of users. Then you can tune the privilege
    > level required for certain commands using the privilege command.
     
    psychogenic, Apr 25, 2006
    #3
  4. Yes. You can fine-tune what priveledge level is required for which
    commands on a per-switch basis using the privilege command in global
    config mode. For example, if you wanted to require privilege level 7
    for the command who, use the following

    privilege exec level 7 who
     
    Mark Williams, Apr 26, 2006
    #4
  5. psychogenic

    psychogenic Guest

    Mark Williams wrote:
    > Yes. You can fine-tune what priveledge level is required for which
    > commands on a per-switch basis using the privilege command in global
    > config mode. For example, if you wanted to require privilege level 7
    > for the command who, use the following
    >
    > privilege exec level 7 who


    Rats. That would suck though if I had to do this for 50 switches? :)
     
    psychogenic, Apr 27, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. HMK
    Replies:
    0
    Views:
    589
  2. ACS v4.0 and TACACS+

    , Aug 7, 2006, in forum: Cisco
    Replies:
    2
    Views:
    5,173
  3. Chino
    Replies:
    0
    Views:
    569
    Chino
    Nov 9, 2006
  4. Crypto23

    ACS / Tacacs+ and Failed Attempts

    Crypto23, Mar 16, 2009, in forum: Cisco
    Replies:
    0
    Views:
    796
    Crypto23
    Mar 16, 2009
  5. asidko
    Replies:
    0
    Views:
    1,891
    asidko
    Apr 5, 2010
Loading...

Share This Page