How to Authorize group from AD

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

How to Authorize group from AD

Maicon Luis
Hello people,

I’m newcomer here as well as on freeradius.

I have a environment with Radius integrated with Active directory so I can login on Cisco’s  Switches with AD account. All it’s working but I should like give privilege 15 for users that login.

I have done the follow lines on “user” file

user1
                Service-Type = NAS-Prompt-User,
                Cisco-AVPair = "shell:priv-lvl=15",
                Fall-Through = Yes

When user1 do login on cisco switch he need type “enable” more local password for enable instead your password from Active Directory

I should like when user “user1” login on Cisco Switch and type enable he earn privileges 15 directly without any password or your password from AD instead local enable password.

What I have to do for reach this ?

I’m using freeradius 3.0

Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to Authorize group from AD

Alan DeKok-2

On Feb 1, 2019, at 10:50 AM, Maicon Luis <[hidden email]> wrote:
> I’m newcomer here as well as on freeradius.

  Welcome!  It's not as bad as sometimes rumoured.  :)

> I have a environment with Radius integrated with Active directory so I can login on Cisco’s  Switches with AD account. All it’s working but I should like give privilege 15 for users that login.
>
> I have done the follow lines on “user” file
>
> user1
>                Service-Type = NAS-Prompt-User,
>                Cisco-AVPair = "shell:priv-lvl=15",
>                Fall-Through = Yes
>
> When user1 do login on cisco switch he need type “enable” more local password for enable instead your password from Active Directory
>
> I should like when user “user1” login on Cisco Switch and type enable he earn privileges 15 directly without any password or your password from AD instead local enable password.

  That's a configuration for the switch, unless I'm mistaken.

  i.e. the Cisco documentation should describe how to do this.  There might be some RADIUS involved, but largely it means having the RADIUS server return the "right" atrributes.

  And what are the "right" attributes?  I don't know.  Read the Cisco docs to see what their product needs.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to Authorize group from AD

Matthew Newton-3
On Fri, 2019-02-01 at 12:52 -0500, Alan DeKok wrote:

> On Feb 1, 2019, at 10:50 AM, Maicon Luis <[hidden email]>
> wrote:
> > I have done the follow lines on “user” file
> >
> > user1
> >                Service-Type = NAS-Prompt-User,
> >                Cisco-AVPair = "shell:priv-lvl=15",
> >                Fall-Through = Yes
>
>   And what are the "right" attributes?  I don't know.  Read the Cisco
> docs to see what their product needs.

I believe they are the right attributes - at least, I've seen it
working with those before.

So it's either that the RADIUS server isn't returning them (run in
debug mode `radiusd -X` to see), or that there is additional config
needed on the switch.

--
Matthew


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to Authorize group from AD

Users mailing list
Maicon,

There is additional config you need on the switch.

If you're running IOS or IOS-XE (e.g., on a Catalyst series switch),
you need to add "aaa new-model" and "aaa authorization exec" to your
config.

The latter must include as parameters "group <RADNAME>", where
"<RADNAME>" is either "radius" (to use the sole or default set of
configured RADIUS servers), or is the name of a group of RADIUS
servers defined by "aaa group server radius <RADNAME>".

As you'll see in docs, "aaa authorization exec" can have multiple
ordered authorization sources (e.g., local-then-RADIUS), just like
when you defined "aaa authentication login".


On 2/1/2019 12:28 PM, Matthew Newton wrote:

> On Fri, 2019-02-01 at 12:52 -0500, Alan DeKok wrote:
>> On Feb 1, 2019, at 10:50 AM, Maicon Luis <[hidden email]>
>> wrote:
>>> I have done the follow lines on “user” file
>>>
>>> user1 Service-Type = NAS-Prompt-User, Cisco-AVPair =
>>> "shell:priv-lvl=15", Fall-Through = Yes
>>
>> And what are the "right" attributes?  I don't know.  Read the
>> Cisco docs to see what their product needs.
>
> I believe they are the right attributes - at least, I've seen it
> working with those before.
>
> So it's either that the RADIUS server isn't returning them (run in
> debug mode `radiusd -X` to see), or that there is additional
> config needed on the switch.
>

--
Douglas C. Stephens | Network Systems Analyst
Enterprise Information Services | Phone: (515) 294-6102
Ames Laboratory, US DOE         | Email: [hidden email]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html