In the process of configuring Management login, via a NAC that’s proxy’ed to FreeRadius.
The backend authentication database is kerberos.
The following example configuration has been put onto the switch:
radius-server host x.x.x.x key 7 asfjejfejfladjljklajflkdajfkl aaa group server radius NAC server x.x.x.x server x.x.x.x aaa authenitcation login default group NAC local
Currently no radius attributes have been configured to be sent to the switch in the Radius access-accept.
When logging into the switch, access is granted by using my kerberos account, as well as enable access – so all good!
The following command has not been added, as this was causing the password prompt on ‘enable’ which on putting the password in would subsequently pass an erroneous username along with the entered password onto kerberos, which would fail due to no username of that value being in the database. This could have been fixed by adding the username to kerberos, but the idea was to grant full network admin rights or read only rights dependent of account used to login, by means of passing the relevant access-accept attributes.
aaa authentication enable default group NAC local
So my questions are:
1) What role and privilege level has been granted to the kerberos login as it stands. ‘Show users’ only details the username that is currently logged in, and ‘show role’ and ‘show user-account’ equally doesn’t help find the information?
2) If I wanted to grant certain access levels to users based on the attributes passed in the Radius access-accept, how would I go about this? The documentation details some vendor specific attributes:
My thoughts are that I would need pass these in the Radius access-accept, exactly as detailed below:
If anyone is able to point me in the right direction that would be very much appreciated.
Many thanks in advance.
Post your Answer
You must be logged in to post an answer.