Re: That's my AAA model

Wed, 02 Dec 2009 09:36:59 -0800 

Alexander,

Thanks for cheered my model. It's updated now: http://twitpic.com/rumfq/full

Should I write these lines

DEFAULT NAS-Identifier == switch, LDAP-Group == netref
       Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15"

in clients.conf file?

By the way, this line

aaa authentication login default group radius local

that I have written in my Cisco IOS grants my log into it, I guess.

--

Wagner Pereira

PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
http://www.pop-sp.rnp.br
f...@rnp 1015-8902



Alexander Clouter escreveu:

Wagner Pereira <[email protected]> wrote:
I hope that can help begginers to understand better how the AAA model works: http://twitpic.com/ru4za/full 

And how I implemented that in my case.
I only see authentication and accounting in there but no authorisation, you need something like: 
----
DEFAULT NAS-Identifier == switch, LDAP-Group == netref
        Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15"
----
Also the 'top' arrow should probably not say 'SSH session' but 'RADIUS traffic' or something. 

As a side note, I am pretty sure 'nastype' is deprecated. :)

Now go show me why I use the following ;)
----
aaa group server radius lanwarden
 server 212.219.138.68 auth-port 1812 acct-port 1813
 ip radius source-interface Loopback0

aaa authentication dot1x default group lanwarden
aaa authorization network default group lanwarden aaa accounting dot1x default start-stop group lanwarden 
----
If you are putting some documentation together, make sure you emphasis that there still need to be local accounts on the switch that are consulted *first* as when the RADIUS are unreachable (network routing issue for example) you will be unable to log into your switches: 
----
aaa authentication login ssh local group login
aaa authorization exec default local group login aaa authorization exec console none aaa accounting exec default start-stop group login 
----

Good work never-the-less.

Cheers


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to