Hi,
I'm trying to authenticate and authorize Cisco routers administrators But not the autorization (privilege level). so not when i add "aaa authorization exec default group radiusvrf if-authenticated" to the cisco router to be able to manage privileges with radius.
to make it work, i think i need to configure Service-Type and cisco-avpair attributes for each user to get the autorization from the cisco router.
I want to configure this attributs in freeradius, not in openldap.
So, is it possible to add this attributes to a specific user in the raddb/users file after he has been authenticated by ldap ? or i must do it differently ?
in raddb/radiusd.conf:
authorize {
preprocess
files
ldap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
}
I tried with a user and a DEFAULT user:
raddb/users:
Robert Service-Type = NAS-Prompt-User
cisco-avpair = "shell:priv-lvl=1"
DEFAULT Service-Type = NAS-Prompt-User
cisco-avpair = "shell:priv-lvl=1"
but this attributs seem not to be send to the routeur. when ldap is authorize in radiusd.conf, the users file is not check anymore ?
Thanks for your help
Thomas
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html