RADIUS with Cisco and "read only" users

C

cyr0n_k0r

Supreme [H]ardness
Joined
Mar 30, 2001
Messages
5,360
I have myself set on the RADIUS server to pass Privilege 15, but we have some techs that I want to be able to see the entire running config .. just not modify it.

I have looked and looked and it seems Privilege levels will only let you "see" what you can also modify. So if I give the techs lets say Privilege level 7 or 8.. they can see running config.. but not the entire config.

It seems blogs are suggesting a work around to this to issue the "auto command" to show running config then disconnect. But I am wondering if anyone else has come across this limitation and found a better solution.

The other big problem I have with the above mentioned work around is that it relies on a local user to the switch. I would ideally like to setup something that I can use their AD credentials. I already have RADIUS and they can authenticate and login to the switches via AD user and pass, but it seems I can only set them as full access or no access.
 
I believe that with standard user levels you can only view portions of the running config that you have permission to change. If you are looking for more granular access control, I think TACACS+ allows per-command authorization.

Someone correct me if I'm wrong :p
 
I know on my router for peerix. Vito help me setup a separate privilege for a user to only look up bgp routes, traceroute, and ping. Now to do that with Radius I wish I could tell you that one. I know it's possible
 
You should be able to pass privilege levels back from the RADIUS box to the device. Once they are logged in, they will be subject to the limitations of the given level. So you'll be able to permit certain commands like Calvin mentioned, but will still have issues with "show running-config"
 
Create a kron job that outputs the running-config to a tftp server that the said admins can view/download. I don't know, just trying to think outside the box and maybe lead you in a different way to solve the problem. Maybe HTTP access? They need everything in running config? Interface configs? Routes?
 
Well, I just ended up giving them Priv 15 but making clear that any changes need to go through me.
They have always *had* access to the switches but I wanted to prevent them from changing anything because it has come back to bite them in the past. Plus they aren't certified to work on the equipment so I don't like that many inexperienced hands in the cookie jar.

But because cisco has no elegant way to provide read only access to the entire config this is what I am stuck with. My question is done, but I'll leave the thread open in case anyone ever comes up with a better solution or has the same problem they can chime in.
 
I use rancid to archive the configs a few times a day, keeping them in a cvs repository and making the full text of the configs available via browser, then you can have your limited priv levels for show commands on the equipment themselves.

It might be worth looking into some of the open source tacacs+ libraries for a FOSS alternative to radius :)
 
You must log in or register to reply here.
Back
Top