Radius AAA -- Am I Dreaming or What?

Discussion in 'Cisco' started by JohnD, Jul 31, 2007.

  1. JohnD

    JohnD Guest

    I have managed to get my 2600 ver 12.3 to authenticate to a Juniper
    Steel-belted Radius server. I am also setting the authorization with the
    radius server.

    The command on the router is: aaa authorization exec default group radius

    The return-list on the radius server is: cisco-AVPAIR shell:priv-lvl=15

    Thus, when I successfully authenticate to get into the router, I am
    automatically authorized with administrator privilege.

    I'm wondering if I can get even fancier with this. Is it possible to
    authorize with read-only access? And once I'm logged in with RO access, is
    it possible to enter an enable password that will give me write access?
    Finally (and this probably very pie-in-the-sky), is it possible to have that
    enable password also managed by the radius server, so that if I ever have to
    change it, I don't have to change it locally on every router?

    Thanks
     
    JohnD, Jul 31, 2007
    #1
    1. Advertisements

  2. JohnD

    Scott Perry Guest

    I'm wondering if I can get even fancier with this. Is it possible to
    Logging into the router with unpriveledge mode access, also known as exec
    mode, is basically read-only.
    Cisco routers require an enable mode password to enter enabled mode which
    then allows entry into configuration mode. It is also the mode where
    counters can be cleared, routing protocols can be reset, and debugging
    commands can be run.
    Authentication into enabled mode can also be checked via a RADIUS or other
    processes. Cisco ACS server running TACACS+ is a very popular method for
    centralizing authentication for VTY/telnet login and also enable mode
    authentication.

    Pointing your Cisco router to the Juniper RADIUS server for "exec" is the
    first step.
    aaa authentication exec default group radius

    Now for enable mode authentication, enter the command:
    aaa authentication enable default group radius

    I also suggest updating both of those commands to go back to normal in case
    the RADIUS server is not available:
    aaa authentication exec default group radius line
    aaa authentication enable default group radius enable

    --

    ===========
    Scott Perry
    ===========
    Indianapolis, Indiana
    ________________________________________
     
    Scott Perry, Jul 31, 2007
    #2
    1. Advertisements

  3. JohnD

    nakhmanson Guest


    here is something for you to read
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml


    Roman Nakhmanson
     
    nakhmanson, Aug 1, 2007
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.