Radius vs TACACS

F

Fint

[H]ard|Gawd
Joined
Jun 11, 2004
Messages
1,046
I have previously used Cisco ACS for doing TACACs for my routers and switches. I am now in a new environment which doesn't have Cisco ACS, but they do have a radius server (in the form of IAS on a Windows Domain Controller). I understand that RADIUS has no provision given to users as to which command that they can run on the router. Does this also mean you can't have certain users enable privileges and others have read-only access?
 
radius uses something called a dictionary file to determine vendor specific information...i think...

i setup admin authentication to netscreen firewalls via a radius server, and the radius server already had a dictionary file in it for netscreen equipment which allowed me to select read-only vs read/write on the admin priveliges.

i would imagine there should be something similar for cisco?
 
You can set up policies within IAS on your domain controller. After configuring the policies add the radius client (VPN server, switch, WLAN access point etc...) and keep note of your shared key. If you need the M.A. attribute then check the box.

This is not too much work and it will all be in sync with active directory.

Google "radius windows 2003 active directory" im sure you'll get crap loads of guides.
 
Fint said:
I have previously used Cisco ACS for doing TACACs for my routers and switches. I am now in a new environment which doesn't have Cisco ACS, but they do have a radius server (in the form of IAS on a Windows Domain Controller). I understand that RADIUS has no provision given to users as to which command that they can run on the router. Does this also mean you can't have certain users enable privileges and others have read-only access?
Click to expand...
Nope, you should be able to make a group on your IAS box that has privilege level 15, and one that has standard user mode privileges. Create yourself a security profile for the privilege users, create a group for those users. From there I believe you go into the authentication portion of the policy and add a value to switch to privilege 15 once the user logs in.

This is from the top of my head, so that might not be 100% accurate but I know that you can do what you want. BTW, the command level authorization is one major reason why most of our customers want to use ACS Tacacs+ solution Vs any Radius solution :)
 
hrm... this is kicking my butt. Regular 'login' works just fine, checks the Radius for authorization, it gives a thumbs-up if the user is in the correct group, everything is happy.

However, when trying to enable, the Cisco passes along a username of $enab15$, which isn't quite what I had in mind ("User $enab15$ was denied access.")

has anybody figured out a way around this? We'd still like to use Radius, but I know TACACS+ can do this properly.
 
Fint said:
hrm... this is kicking my butt. Regular 'login' works just fine, checks the Radius for authorization, it gives a thumbs-up if the user is in the correct group, everything is happy.

However, when trying to enable, the Cisco passes along a username of $enab15$, which isn't quite what I had in mind ("User $enab15$ was denied access.")

has anybody figured out a way around this? We'd still like to use Radius, but I know TACACS+ can do this properly.
Click to expand...
Did a quick google for you Flint. Looks like I was almost right.
http://vectorcomms.com/radius.html

HTH
 
Thank you.. I had found mentions of the shell:priv-lvl=15 with my googling, but they all left out the "aaa authorization exec default group radius if_authenticated" part.

Not quite perfect, but free (if you disable and try to re-enable, you have to use the regular enable password, but that's pretty darn minor considering IAS is free).

Thanks again
 
You must log in or register to reply here.
Back
Top