Role based CLI

Hello,

Does anyone know if its possible to configure role-based CLI with RADIUS authentication.

I need to allow helpdesk staff access to switches to run various show commands but all authentication is done via RADIUS (MS - IAS server)

Thanks

Find more posts tagged with

Comments

DevilWAH

not with radius. unless you assing privilage levels using it. for example you can pass back the privilage level usiing radius. and then assign the commands you want to that privlage level. but if you want per command authrisation you need to use tacas.

Forsaken_GA

danc_101 wrote: »

Hello,

Does anyone know if its possible to configure role-based CLI with RADIUS authentication.

I need to allow helpdesk staff access to switches to run various show commands but all authentication is done via RADIUS (MS - IAS server)

Thanks

Router Proxy is probably the best way to do this

Indiana University Router Proxy | Download Indiana University Router Proxy software for free at SourceForge.net

Some examples of it in use can be found here:

GlobalNOC Router Proxy

It'll let you define which commands you want folks to be able to run, and then you'll only need to setup one login to actually make use of it without having to worry too terribly much about tightening down individual access roles. Just make damn sure file level access to the web server that it's hosted on is locked down.

danc_101

DevilWAH wrote: »

not with radius. unless you assing privilage levels using it. for example you can pass back the privilage level usiing radius. and then assign the commands you want to that privlage level. but if you want per command authrisation you need to use tacas.

Thanks - do you have any documentation for this ?

DevilWAH

How to Assign Privilege Levels with TACACS+ and RADIUS - Cisco Systems

a bit about assigning commads to a provilage level.

Configuring IAS: (Radius secret)

for setting up windows IAS radius to allow authentication and assign the priv level for the user.

I so so strongly suggest you try this on a test switch!!! and what ever you do leave local in the AAA authentication and authorisation string, so if i coems to it you can turn of the IAS server and get on to your switchs..

if the device can see the radius serve it will ignore local username/passwords. but will fall back if the radius fails

hope that helps

danc_101

Thats great - thanks for your help