"Mike May" <[EMAIL PROTECTED]> wrote: > After the authn I set some authz like Cisco-AVPair = > "priv-lvl=15" used by Cisco routers and switches for network engineers who > live in the proper LDAP group, here is where the problem is. PIX firewalls > do not like me setting the priv lvl, and the reason is that the PIX will > only accept authz from a tacacs server(it seems like).
So.. don't specify that for the PIX firewall, *or* add it only for the non-PIX machines. > What I need to do is > specify a "netauth" == NAS-IP-ADDRESS 192.168.20.0/23 subnet. Instead of > "netauth" == NAS-IP-ADDRESS 192.168.20.15, this way I can use my users file > and not set the Cisco priv lvl for those devices that live on the firewall > subnets. You can match IP's via regular expressions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html