Radius AAA -- Am I Dreaming or What?

I have managed to get my 2600 ver 12.3 to authenticate to a Juniper Steel-belted Radius server. I am also setting the authorization with the radius server.

The command on the router is: aaa authorization exec default group radius

The return-list on the radius server is: cisco-AVPAIR shell:priv-lvl=15

Thus, when I successfully authenticate to get into the router, I am automatically authorized with administrator privilege.

I'm wondering if I can get even fancier with this. Is it possible to authorize with read-only access? And once I'm logged in with RO access, is it possible to enter an enable password that will give me write access? Finally (and this probably very pie-in-the-sky), is it possible to have that enable password also managed by the radius server, so that if I ever have to change it, I don't have to change it locally on every router?


Reply to
Loading thread data ...

Logging into the router with unpriveledge mode access, also known as exec mode, is basically read-only.

Cisco routers require an enable mode password to enter enabled mode which then allows entry into configuration mode. It is also the mode where counters can be cleared, routing protocols can be reset, and debugging commands can be run. Authentication into enabled mode can also be checked via a RADIUS or other processes. Cisco ACS server running TACACS+ is a very popular method for centralizing authentication for VTY/telnet login and also enable mode authentication.

Pointing your Cisco router to the Juniper RADIUS server for "exec" is the first step. aaa authentication exec default group radius

Now for enable mode authentication, enter the command: aaa authentication enable default group radius

I also suggest updating both of those commands to go back to normal in case the RADIUS server is not available: aaa authentication exec default group radius line aaa authentication enable default group radius enable

Reply to
Scott Perry

here is something for you to read

formatting link

Roman Nakhmanson

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.