Per-device/per-user AAA authorization with Freeradius

Similar Messages

• Aaa authorization with Tacacs+

  Hello All,
  I am trying to figure out how aaa authorization with tacacs+ works.
  I am totally comfortable with aaa authentication..But am not able to understand how it works...How diff priv levels are assigned to diff users?..
  I am totally freaked out...

  The device side side setup is pretty simple. You just use the aaa authorization command set. A good bit of the setup is on the ACS server end.
  Cisco has a pretty thorough configuration example posted here.

• Aaa authorization with Funk SBR EE

  Hello,
  I do not get aaa authorization with Funk SBR EE to work.
  On our cisco switches I configure:
  aaa authentication default group radius local
  aaa authorization exec default radius local
  On the Funk radius server I return
  service-type login
  Cisco-AVPAIR shell:priv-lvl=15
  Authorization always fails and the debug output shows:
  1063433: 46w0d: CLUSTER_MEMBER_1: RADIUS: ustruct sharecount=1
  1063434: 46w0d: CLUSTER_MEMBER_1: RADIUS: Initial Transmit tty3 id 60 [**radius-ip**}:1812, Access-Request, len 82
  1063435: 46w0d: CLUSTER_MEMBER_1: Attribute 4 6 C3A976E2
  1063436: 46w0d: CLUSTER_MEMBER_1: Attribute 5 6 00000003
  1063437: 46w0d: CLUSTER_MEMBER_1: Attribute 61 6 00000005
  1063438: 46w0d: CLUSTER_MEMBER_1: Attribute 1 9 66726974
  1063439: 46w0d: CLUSTER_MEMBER_1: Attribute 31 17 3139352E
  1063440: 46w0d: CLUSTER_MEMBER_1: Attribute 2 18 8772DAFD
  1063441: 46w0d: CLUSTER_MEMBER_1: RADIUS: Received from id 60 [**radius-ip**]:1812, Access-Accept, len 87
  1063442: 46w0d: CLUSTER_MEMBER_1: Attribute 25 67 53425232
  1063443: 46w0d: CLUSTER_MEMBER_1: RADIUS: saved authorization data for user 111BFD8 at D4E310
  1063444: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): Port='tty3' list='' service=EXEC
  1063445: 46w0d: CLUSTER_MEMBER_1: AAA/AUTHOR/EXEC: tty3 (3848954035) user='username'
  1063446: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): send AV service=shell
  1063447: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): send AV cmd*
  1063448: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): found list "default"
  1063449: 46w0d: CLUSTER_MEMBER_1: tty3 AAA/AUTHOR/EXEC (3848954035): Method=radius (radius)
  1063450: 46w0d: CLUSTER_MEMBER_1: RADIUS: no appropriate authorization type for user.
  1063451: 46w0d: CLUSTER_MEMBER_1: AAA/AUTHOR (3848954035): Post authorization status = FAIL
  1063452: 46w0d: CLUSTER_MEMBER_1: AAA/AUTHOR/EXEC: Authorization FAILED
  1063453: 46w0d: CLUSTER_MEMBER_1: AAA/MEMORY: free_user (0x111BFD8) user='username' ruser='' port='tty3' rem_addr='[**client-ip**]' authen_type=ASCII service=LOGIN priv=1
  What do I need to add to the radius server to make it work?
  --Joerg

  The document Common Problems in Debugging RADIUS, PAP and CHAP has more information on the debug outputs.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093f4b.shtml#radnpap

• If I apply a per device CAL does it stick with certain devices or when the devices sign off can new ones use the same licences

  I purchased a per device CAL and was wondering about this because we have more than 5 devices. If one device is signed on and is using a licence then signs off does that licence become available for a new device then? Or am I stuck with the same 5 devices
  even if they are not still signed on. 

  When an RDS device CAL is issued it remains assigned to the device it was issues to until it expires.  It cannot be used by another device until it expires.
  An RDS per device cal is set to expire in a random inteval between 52 and 89 days.  Once this interval expires, the device Cal is returned to the pool.  You can revoke RDS CALs manually (up to 20% of your total) with Remote Desktop Licensing Manager.

• AAA Authorization with RADIUS and RSA SecurID Authentication Manager

  Hi there.
  I am in the process of implementing a new RSA SecurID deployment, and unfortunately the bulk of the IOS devices here do not support native SecurID (SDI) protocol. With the older RSA SecurID deployment version, it supported TACACS running on the system, now in 8.x it does not.  Myself, along with RSA Support, are having problems getting TACACS working correctly with the new RSA Deployment, so the idea turned to possibly just using RADIUS
  I have setup the RADIUS server-host, and configured the AAA authentication and authorization commands as follows:
  #aaa new-model
  #radius-server host 1.1.1.1 timeout 10 retransmit 3 key cisco123!
  #aaa authentication login default group radius enable
  #aaa authorization exec default group radius local
  I have also tried
  #aaa authorization exec default group radius if-authenticated local
  I can successfully authenticate via SSH to User Mode using my SecurID passcode -- however, when I go to enter Priv Exec mode, it wont take the SecurID passcode - I just get an "access denied"
  I've ran tcpdump on the RSA Primary Instance, looking for 1645/1646 traffic, and I dont get anything
  I've turned on RADIUS debugging on the IOS device, and I dont get anything either
  I did see this disclaimer in a Cisco doc: "The RADIUS method does not work on a per-username basis."  -- not sure if this is related to my issue?
  I'm beginning to wonder if IOS/AAA cant pass authorization-exec process to RSA SecurID

  I don't have a solution, but can confirm I have the same problem and am also trying to find a solution.
  I see no data sent to the RSA server when using the wireless AP. With other equipment on the same ACS, I do see the attempts going to the RSA server.
  The first reply doesn't seem to apply to me, since it's not sending a request from the ACS machine to the RSA machine.

• AAA authorization with ACS 3.2

  I'm trying to configure my devices to use shell command authorization sets located on my ACS box. I want users that are members of a specific group to only be allowed to certain commands (ex. show). I'm pretty sure my ACS box is setup correctly, but my devices aren't. Here is the current config:
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ local
  aaa accounting exec default start-stop group tacacs+
  I want the aaa authorization to use tacacs on my ACS box and whatever shell commands sets that are group specific when a user that is a member of that group logs in.

  Marek
  1) it is good to know that authentication is working and does fail over to the enable password. This helps assure that the problem that we are dealing with is not an issue of failure to communicate.
  2) it is not necessary that the router mirror the groups that are configured on the server. So unless you want to specify authentication or authorization processing different from default then you do not need level1 to be mentioned on the router.
  I agree that there is not a lot of clear documentation about authorization. One of the purposes of this forum is to allow people to ask questions about things that they do not yet understand and hopefully to get some helpful answers. As you get more experience and understand more then you may be able to participate in the forum and providing answers in addition to asking questions.
  3) As I read your config authentication does have a backup method and authorization does not. I am a proponent of having backup methods configured. As long as the server is available you do not need them. But if they are not configured and the server is not available you can manage to lock yourself out of the router.
  I can understand removing them while you concentrate on why the authorization is not working (though I would not do it that way) but I strongly suggest that you plan to put the backups in before you put anything like this into production.
  4) the fact that both users log in and are already at privilege level 15 may be a clue. Look in the config under the console and under the vty ports. Look for this configuration command privilege level 15. If it is there remove it and test over again.
  HTH
  Rick

• AAA Authorization with ACS Shell-Sets

  Hi all,
  I am using a cisco 871 router running Version 12.4(11)T advanced IP Services.
  I am having trouble getting AAA Authorization to work correctly with ACS.
  I am able to set the users up on ACS fine and assign them shell and priv level 7.
  I then setup a Shell Auth Set, and enter in the commands show and configure.
  When I log in as a user, I get an exec with a priv level of 7 no problems, but I never seem to be able
  to access global config mode by typing in conf (or configure) terminal or t.
  If I type con? the only command there is connect, configure is never an option...
  The only way I can get this to work is by entering the command:
  privilege exec level 7 configure terminal
  I thought the whole purpose of the ACS Shell Set was to provide this information to the Router?
  This is most frustrating
  The ACS Server is set up with a Shell Command Authorization Set named Level_7
  It is assigned to the relevant groups and I even have the "Unmatched Commands" option selected to "Permit"
  The "Permit Unmatched Args" is also selected.
  See an excerpt of my IOS config below:
  aaa new-model
  aaa group server tacacs+ ACS
  server 10.90.0.11
  aaa authentication login default group ACS local
  aaa authorization exec default group ACS
  aaa authorization commands 7 default group ACS local
  tacacs-server host 10.90.0.11 key cisco
  privilege exec level 7 configure terminal
  privilege exec level 7 configure
  privilege exec level 7 show running-config
  privilege exec level 7 show
  Hope you can help me with this one..
  P.s I have tried it with the privilege commands on the router and removed from the router and just keep getting the same results!?

  Hi,
  So here it is,
  You are actually using two different options and trying to couple then together. What I would suggest you is either use Shell command authorization set feature or play with privilege level. Not both mixed together.
  Above scenario might work, if you move commands to privilege level 6 and give user privilege level 7. It might not sure. Give it a try and share the result.
  This is what I suggest the commands back to normal level.
  Below provided are steps to configure shell command authorization:
  Follow the following steps over the router:
  !--- is the desired username
  !--- is the desired password
  !--- we create a local username and password
  !--- in case we are not able to get authenticated via
  !--- our tacacs+ server. To provide a back door.
  username password privilege 15
  !--- To apply aaa model over the router
  aaa new-model
  !--- Following command is to specify our ACS
  !--- server location, where is the
  !--- ip-address of the ACS server. And
  !--- is the key that should be same over the ACS and the router.
  tacacs-server host key
  !--- To get users authentication via ACS, when they try to log-in
  !--- If our router is unable to contact to ACS, then we will use
  !--- our local username & password that we created above. This
  !--- prevents us from locking out.
  aaa authentication login default group tacacs+ local
  aaa authorization exec default group tacacs+ local
  aaa authorization config-commands
  aaa authorization commands 0 default group tacacs+ local
  aaa authorization commands 1 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  !--- Following commands are for accounting the user's activity,
  !--- when user is logged into the device.
  aaa accounting exec default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  Configuration on ACS
  [1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add'
  Provide any name to the set.
  provide the sufficent description (if required)
  (a) For Full Access administrative set.
  In Unmatched Commands, select 'Permit'
  (b) For Limited Access set.
  In Unmatched commands, select 'Deny'.
  And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow.
  For example: If we want user to be only able to access the following commads:
  login
  logout
  exit
  enable
  disable
  show
  Then the configuration should be:
  ------------------------Permit unmatched Args--
  login permit
  logout permit
  exit permit
  enable permit
  disable permit
  configure permit terminal
  interface permit ethernet
  permit 0
  show permit running-config
  in above example, user will be allowed to run only above commands. If user tries to execute 'interface ethernet 1', user will get 'Command authorization failed'.
  [2] Press 'Submit'.
  [3] Goto the group on which we want to apply these command authorization set. Select 'Edit Settings'.
  (cont...)

• User Based Authorization with ISE

  I am trying to configure ISE to limit the activitiy of individual users once they have logged in from an authorized PC into our netowrk. We basically only want them to be able to connect to specific systems. Is ISE able to do this on a per user basis?

  Yes.
  One of the things you can do via your Authorization policy is to push a downloadable ACL (dACL) to the port (for wired users). For wireless users you can apply a pre-defined Airespace ACL from the WLC to the user session. 

• AAA Authorization with DAP

  When forcing a tunnel-group to authorize users against an AAA server-group with a corresponding ldap attribute-map in that AAA group, does that mapping of usergroup->group-policy get passed up to the DAP process?

  The document Common Problems in Debugging RADIUS, PAP and CHAP has more information on the debug outputs.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093f4b.shtml#radnpap

• AAA authorization with Cat Os on 5500 switches

  Hi,
  I am new to Cisco Secure and I was wondering if there is a solution to my task. I have been asked to allow only certain users the right to see the configuration on the cato os and ios based switches. The ios based switches seems doable but the cat ios doesn't. One switch I am looking at has cat os 4.5(6a) and that doesn't seem to support what I want to do. Outside of ciscoworks is there a solution?
  TIA for any assistance.

  The Catalyst 5500's don't support command authorization until software version 5.4.
  HTH
  Steve

• Exclude specific user from aaa authorization commands

  Hi there,
  I am trying to find a solution to exclude specific users from being authorized (AAA command authorization) when entering commands on the switch/router.
  We use an AAA setup with Cisco ACS. On the devices we use:
  aaa authorization config-commands
  aaa authorization commands 1 default group tacacs+ local
  aaa authorization commands 5 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  is it possible, to exclude an  user, say User1, from being command authorized?
  In other words, when User1 logs on the switch/router, the switch/router shouldn't check the ACS if User1 is authorized to use this command.
  We tried this with method lists in combination with ACL's on the VTY's:
  line VTY 0
  access-class 1 in
  line VTY 1
  access-class 2 in
  Let's say, User1 always logs in from a specific IP, which is mentioned in access-list 2, the switch would use the method mentioned within the line vty 1.
  But apparently, when a remote connection is being established, the switch/router uses the first VTY which is available, instead of watching which ACL can be matched to the source IP from the User.
  Does anyone have some tips/tricks how to handle this?
  Maybe a custom attribute from the ACS?
  Kind Regards

  If that user belongs to a unique group then you can write a policy where "if the user is in group x then return "access_reject" Or return "access_accept" but set the privilege level to "1" and block all commands. 
  Thank you for rating helpful posts!

• RDS (2012 R2, Per User) client issues after moving from TS Licesning (Win 2K3, Per Device)

  I run a XenApp environment (mixed Presentation Server 4.5, XA6.5, XA7.6... I know).
  I've somewhat recently moved our RDS/TS licensing from an old 2K3 TS licensing vm that needed to go to a 2012 R2 RDS licensing vm.
  The 2K3 vm ran with a Per Device mode, and the 2012 R2 vm is using a Per User model.
  RDS is working fine as far as I can tell - handing out licenses to their RD Session hosts, in the proper security group which has the ability to Read/Write the MSLicensing user attributes (Terminal Server License Servers). By GPO, I am telling (and they are
  applying) my XenApp servers to use their new RDS Licensing server and with a Per User model. The issue I
  am seeing is this:
  On a give XenApp server, the eventID 1011 - TerminalServicesRemoteConnectionManager
  The remote session could not be established from remote desktop client
  computername because its temporary license has expired.
  When I hit the Details tab,
  Windows Server 2003 - Terminal Server Per Device CAL Token.
  Which then results in having to remove the MSLicensing registry key. Which is annoying. Anyone else run into this after moving licensing servers and/or models? Feedback would be awesome, danke!

  Hi,
  According to your description, it sounds like a known issue. The workwgoup is to delete the MSLicensing key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing. (Note: please create a backup of the MSLicensing registry key and its subkeys on the
  client before you remove the original key and subkeys.)
  For more detailed information, you can refer to the similar thread below:
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/9eb42798-e75e-4693-9a5d-9e96895e16c8/remote-desktop-license-server-problem?forum=winserverTS
  Best regards,
  Ssie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Switch from per Device to per User

  I have a few RDS servers in an isolated environment that I was going to use our corporate RDS license server with.   I later found out that the servers need to be in the same domain as the licensing server itself (which they are not).  The
  RDS servers were already built "Per Device" but now I have to build a new RDS licensing server and I am thinking about going per User with this instance.  Since the RDS servers are already Per Device (but are not technically pointing to any
  valid license server yet) can I switch them to be per User and then point them to the new per User RDS license server?
  Thanks
  NK

  Hi,
  Yes, you can switch the licensing mode of the RDSH servers to Per User.  For Server 2012/2012 R2 RDSH servers you would just change the mode in deployment properties, and of course make sure the RDSH servers are part of a collection so that the change
  will apply to them.
  You will need purchased Per User RDS CALs.  If you already purchased Per Device RDS CALs I recommend contacting the reseller and seeing if you can return them and purchase Per User instead.  Per User RDS CALs cost more than Per Device
  RDS CALs.
  -TP

• Will Itunes only communicate with one device per computer?

  I get an invalid response from Itunes when my iphone4 is connected to Itunes. I also have a nano that connectes and is working properly. Will Itunes only work with one device per computer. I took the iphone to an apple store and it connects with itunes like it should. I have swapped cables and ports, and downloaded the latest version. Thanks for your help

  It is mean to work with multiple devices, although not simultaneously.  However I have had exactly the same issue with iTunes 10.7 and Windows7 and a new 16GB iPod touch on iOS6 just this week.
  iTunes detects and displays the iPod classic fine, but won't find the iPod Touch when it is connected.  The connection is working fine as the Windows OS can see the iPod touch, just not iTunes.
  I had a 2nd PC, which has a copy of the iTunes on it and the same media collection - this PC immediately recognised the Touch, so I have gotten around this issue, although I suspect reinstalling iTunes on the original PC may have also fixed it - I have kept a copy of iTunes 10.7.exe so I can reinstall and avoid that POS V11. 
  I suspect iTunes gets tetchy about hooking in two devices.
  Actually as a mostly Windows / Android user, I don't get why on earth do Apple force you to do everything via iTunes anyway?  Seems crazy to me.  I sort of like the way I can hook up the Android unit and just drag over the files I want without all the darn hoop jumping Apple wants me to do.  Anyway... I digress.
  So Not sure.  Happy I found an easier solution than a reinstall of iTunes.  Of course, using a 2nd (mirrored) PC might not be an option for you.  Good luck. Wish I had a better / more useful suggestion for you.

• With the limit of 5 devices per itunes account, I am wondering if I can have 2 itune accounts on the same computer?  We have many idevices and I am not sure how to manage them all.

  With the limit of 5 devices per itunes account, I am wondering if I can have more than 1 itunes account on my computer? 

  The limit of five applies only to computers, not to iOS devices, if that's what you're concerned with. But yes, you can have content from up to five different iTunes Store accounts on any given computer or iOS device.
  Regards.