beautypg.com

Cisco 15327 User Manual

Page 327

background image

19-15

Ethernet Card Software Feature and Configuration Guide, R7.2

Chapter 19 Configuring Security for the ML-Series Card

Configuring RADIUS

To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global
configuration command. To remove a server group from the configuration list, use the no aaa group
server radius
group-name global configuration command. To remove the IP address of a RADIUS
server, use the no server ip-address server group configuration command.

In this example, the ML-Series card is configured to recognize two different RADIUS group servers
(group1 and group2). Group1 has two different host entries on the same RADIUS server configured for
the same services. The second host entry acts as a fail-over backup to the first entry.

Switch(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001

Switch(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646

Switch(config)# aaa new-model

Switch(config)# aaa group server radius group1

Switch(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001

Switch(config-sg-radius)# exit

Switch(config)# aaa group server radius group2

Switch(config-sg-radius)# server 172.20.0.1 auth-port 2000 acct-port 2001

Switch(config-sg-radius)# exit

Configuring RADIUS Authorization for User Privileged Access and Network Services

AAA authorization limits the services available to a user. When AAA authorization is enabled, the
ML-Series card uses information retrieved from the user’s profile, which is in the local user database or
on the security server, to configure the user’s session. The user is granted access to a requested service
only if the information in the user profile allows it.

There is no support for setting the privilege level on the ML-Series card or using the priv-lvl command.
A user authenticating with a RADIUS server will only access the ML-Series card with a privilege level
of 1, which is the default login privilege level. Because of this, a priv-lvl configured on the RADIUS
server should have the priv-lvl of 0 or 1. Once a user is authenticated and gains access to the ML-Series
card, they can use the enable password to gain privileged EXEC authorization and become a super user
with a privilege level of 15, which is the default privilege level of enable mode.

This example of an ML-Series card user record is from the output of the RADIUS server and shows the
privilege level:

CISCO15 Auth-Type := Local, User-Password == "otbu+1"

Service-Type = Login,

Session-Timeout = 100000,

Cisco-AVPair = "shell:priv-lvl=1"

You can use the aaa authorization global configuration command with the radius keyword to set
parameters that restrict a user’s network access to privileged EXEC mode.

The aaa authorization exec radius local command sets these authorization parameters:

Use RADIUS for privileged EXEC access authorization if authentication was performed by using
RADIUS.

Use the local database if authentication was not performed by using RADIUS.

Note

Authorization is bypassed for authenticated users who log in through the CLI even if authorization has
been configured.

Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged
EXEC access and network services: