Dana 20/7/2007, "ashish verma" <[EMAIL PROTECTED]> piše: av> I dont want the user to go directly in priv mode. av> through priv level = 15 we direclty get into priv level right.
av> what i am looking for is first the user get into user level and av> then with av> another av> password in level 2. (not with enable password)..it should be av> through RADIUS av> server >Hi Ivan, > >What i meant is you type "enable" but the password you give should be >authenticated by RADIUS server not the "enable password stored on the >device". >I am not sure whether it is possible or not. But just wanted to know from >the experts. > >Thanks, >Ashish > OK. I'm done with flaming, let's go over thing you can and can't do: - you can store enable passwords on the radius server instead of locally - you can't use radius and not use machine-specific enable password [av>"(not with enable password)"] - you can use radius as a single step authentication method to give users access to privileged mode directly by returning priv-lvl attribute in their profile (leave out priv-lvl attribute if you don't want them to have privileged access) - you can't use single authetication method and have different passwords for different access levels *unless* enable password is machine-specific (ie. same one for all users) - if you different passwords for user and prevelege modes you will need to use two different authentication methods (radius and tacacs+): aaa authentication login default group radius aaa authentication enable default group tacacs+ Now user will log onto the device with his radius password and he will be prompted for username/password by tacacs when he types enable. I don't think that you can use authorization (aaa authorization exec ...) in this scenario. You have to return priv-lvl 15 for enable to gain privileged access but that authorization will be passed onto login users as well (you cant split user exec and privileged exec authorization, at least I don't know a way) giving them privileged access straight away and defeating the second level authentication. And I can't predict how well would things work without authorization. My guess is that they will but you won't be able to return any parameters to the user (no privilege or command restrictions etc.). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
