Role based CLI
Hello,
Does anyone know if its possible to configure role-based CLI with RADIUS authentication.
I need to allow helpdesk staff access to switches to run various show commands but all authentication is done via RADIUS (MS - IAS server)
Thanks
Does anyone know if its possible to configure role-based CLI with RADIUS authentication.
I need to allow helpdesk staff access to switches to run various show commands but all authentication is done via RADIUS (MS - IAS server)
Thanks
Comments
-
DevilWAH
Member Posts: 2,997 ■■■■■■■■□□
not with radius. unless you assing privilage levels using it. for example you can pass back the privilage level usiing radius. and then assign the commands you want to that privlage level. but if you want per command authrisation you need to use tacas.- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com -
Forsaken_GA
Member Posts: 4,024
Hello,
Does anyone know if its possible to configure role-based CLI with RADIUS authentication.
I need to allow helpdesk staff access to switches to run various show commands but all authentication is done via RADIUS (MS - IAS server)
Thanks
Router Proxy is probably the best way to do this
Indiana University Router Proxy | Download Indiana University Router Proxy software for free at SourceForge.net
Some examples of it in use can be found here:
GlobalNOC Router Proxy
It'll let you define which commands you want folks to be able to run, and then you'll only need to setup one login to actually make use of it without having to worry too terribly much about tightening down individual access roles. Just make damn sure file level access to the web server that it's hosted on is locked down. -
danc_101
Member Posts: 60 ■■□□□□□□□□
not with radius. unless you assing privilage levels using it. for example you can pass back the privilage level usiing radius. and then assign the commands you want to that privlage level. but if you want per command authrisation you need to use tacas.
Thanks - do you have any documentation for this ? -
DevilWAH
Member Posts: 2,997 ■■■■■■■■□□
How to Assign Privilege Levels with TACACS+ and RADIUS - Cisco Systems
a bit about assigning commads to a provilage level.
Configuring IAS: (Radius secret)
for setting up windows IAS radius to allow authentication and assign the priv level for the user.
I so so strongly suggest you try this on a test switch!!! and what ever you do leave local in the AAA authentication and authorisation string, so if i coems to it you can turn of the IAS server and get on to your switchs..
if the device can see the radius serve it will ignore local username/passwords. but will fall back if the radius fails
hope that helps- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com