On Fri, 2004-11-05 at 07:33 -0800, Mike Donnelly wrote:
> All,
>
> Newbie ish question..
> I would like to use FreeRadius to authorize
> cli users for specific commands entered on my
> cisco routers. I can set up my cisco's to
> look to radius for command authorization
> using the "aaa authorization commands 1 default
> group radius ..." string, but im
> unclear how i need to prepare/configure the
> radius server side. Is there an example
> of command authorization somewhere , or could
> someone point me in the right direction?
>
> I use FreeRadius Version 1.0.0-pre3 on solaris,
> flat files for logging + clients.
>
> My test command would be to allow
> user JOE to run the SHOW SNMP command
> on router 1.2.3.4.
>
> Thanks for any direction here .. The cisco docs
> are excellent for the cisco side, but alas I'm
> missing 1/2 the puzzle..
>
>
Example from my foundry setup use shadow.
limtedaccess Auth-Type := System
Acct-Authentic == RADIUS,
Service-Type = NAS-Prompt-User,
foundry-privilege-level = 0,
foundry-command-string = "show log; show vsrp; show ip
interface; show arp; show mac-address *; show statistics; show vlan;
show interface; show running-config; copy running-config *;configure
terminal; interface *; speed-duplex *;port-name *; vlan *; tagged *;
untagged *;",
foundry-command-exception-Flag = 0
Since Cisco's docs are so good this should be all you need.
Ted
DISCLAIMER
This e-mail, and any attachments thereto, is intended only for use by the
addressee(s) named herein and may contain legally privileged and/or
confidential information. If you are not the intended recipient of this
e-mail, you are hereby notified that any dissemination, distribution or
copying of this e-mail, and any attachments thereto, is strictly prohibited.
If you have received this e-mail in error, please immediately notify me and
permanently delete the original and any copy of any e-mail and any printout
thereof.
E-mail transmission cannot be guaranteed to be secure or error-free. The
sender therefore does not accept liability for any errors or omissions in
the contents of this message which arise as a result of e-mail transmission.
REGARDING PRIVACY AND CONFIDENTIALITY
Crown Financial Group may, at its discretion, monitor and review the content
of all e-mail communications.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
