Posted on February 2, 2016 1:53 pm
 |  Asked by Martin
 |  5649 views
0
0
Print Friendly, PDF & Email

In the process of configuring Management login, via a NAC that’s proxy’ed to FreeRadius.

The backend authentication database is kerberos.

The following example configuration has been put onto the switch:

radius-server host x.x.x.x key 7 asfjejfejfladjljklajflkdajfkl
aaa group server radius NAC
    server x.x.x.x
    server x.x.x.x
aaa authenitcation login default group NAC local

Currently no radius attributes have been configured to be sent to the switch in the Radius access-accept.

When logging into the switch, access is granted by using my kerberos account, as well as enable access – so all good!

The following command has not been added, as this was causing the password prompt on ‘enable’ which on putting the password in would subsequently pass an erroneous username along with the entered password onto kerberos, which would fail due to no username of that value being in the database. This could have been fixed by adding the username to kerberos, but the idea was to grant full network admin rights or read only rights dependent of account used to login, by means of passing the relevant access-accept attributes.

aaa authentication enable default group NAC local

So my questions are:

1) What role and privilege level has been granted to the kerberos login as it stands. ‘Show users’ only details the username that is currently logged in, and ‘show role’ and ‘show user-account’ equally doesn’t help find the information?

2) If I wanted to grant certain access levels to users based on the attributes passed in the Radius access-accept, how would I go about this? The documentation details some vendor specific attributes:

priv-lvl=X
Arista-AVPair="shell:roles=network-admin"

My thoughts are that I would need pass these in the Radius access-accept, exactly as detailed below:

Arista-AVPair="shell:priv-lvl=15"
Arista-AVPair="shell:roles=network-admin"

If anyone is able to point me in the right direction that would be very much appreciated.

Many thanks in advance.

0
Posted by Shine
Answered on February 3, 2016 3:37 pm

Hello Martin,

Regarding #1 question, when no arguments were send through AAA process, the authenticated user will be logged in EXEC mode.

About question #2, your FreeRadius should have Arista AVP in dictionary file and you should pass these AVP for each user you want to be authorized for a configured role.

According to EOS manual, a dictionary file sample:

#
# dictionary.arista
#
VENDOR           Arista    30065
#   Standard Attribute
BEGIN-VENDOR     Arista
ATTRIBUTE        Arista-AVPair    1    string
END-VENDOR       Arista
And a user file sample:
# Sample RADIUS server users file
"Jane" Cleartext-Password := "Abc1235"
       Arista-AVPair = "shell:roles=sysuser2",
       Service-Type = NAS-Prompt-User
"Mary" Cleartext-Password := "xYz$2469"
       Arista-AVPair = "shell:roles=sysadmin",
       Service-Type = NAS-Prompt-User
"Fred" Cleartext-Password := "rjx4#222"
       Arista-AVPair = "shell:roles=network-operator",
       Service-Type = NAS-Prompt-User

Note roles can be a built-in or a user-defined role. You can also pass privilege level string as well.

You can check these sessions with the ”show aaa session” command.

0
Posted by Martin
Answered on February 4, 2016 3:34 pm

So I’ve configured radius and I can confirm through a wireshark trace (that I unfortunately can not share), that I am definitely passing the attributes for privilege level 15 and role of network admin as detailed above.

The ’show users’ command is showing my kerberos username as the user logged in, and it logs me in at privilege level of 1. I can just type ’enable’ without the need for a password.

So it seems although I am passing the correct attributes I am not defaulting to privilege exec mode and I can’t find a command to view what role I might have received. Radius authentication seems to act exactly the same as if I’m passing these attributes or non at all – any ideas what I might be doing or understand wrong?

Maybe I have to enable aaa authorization…. will play with that next?

Thanks.

0
Posted by Pedro Morais
Answered on August 12, 2016 11:45 am

Hi Martin,

I’m having the exact same issue. Were you able to solve this? If yes, can you share your solution?

Regards,
Pedro

0
Posted by Aesha Parikh
Answered on August 15, 2016 4:26 pm

Hi Martin/Pedro,

For users to directly enter into privilege mode (if priv=15), you need to configure ”AAA authorization exec default group xxx”

You can check the role assigned to the users using ”show aaa sessions”

 

Post your Answer

You must be logged in to post an answer.