From: Fabrice Bobes (study@6colabs.com)
Date: Mon May 19 2003 - 14:22:13 GMT-3
As far as I tried authorization with IAS radius, it worked for me.
There is this Radius attribute called cisco-av-pair available on IAS
that you may want to play with.
You can for example give a certain level of privilege or use
autocommand:
First example: - assigning privilege level 2 to a user when login on
IOS configuration:
aaa new-model
aaa authentication login default none
aaa authentication login outside group radius
aaa authorization exec outside group radius
line vty 0 4
login authentication outside
authorization exec outside
IAS config:
Cisco-AV-Pair:
shell:priv-lvl=2
Second example: - testing autocommand with lock-and-key
IOS configuration:
aaa new-model
aaa authentication login default none
aaa authentication login outside group radius
aaa authorization exec outside group radius
int e0/0
ip address 10.10.1.1 255.255.255.0
ip access-group 101 in
access-list 101 permit tcp host 192.168.1.1 host 10.10.1.1 eq telnet
access-list 101 dynamic dyn permit ip any any
access-list 101 deny ip any any
line vty 0 4
login authentication outside
authorization exec outside
IAS config:
Cisco-AV-Pair:
autocmd=access-enable host timeout 5
After the user logs on, the access-list 101 is modified as it should be:
permit tcp host 192.168.1.1 host 10.10.1.1 eq telnet
Dynamic dynmap permit ip any any
permit ip host 192.168.1.1 any
deny ip any any
If you want to do some debug, you will see something like this:
May 19 09:51:18.761 PST: AAA/AUTHOR/EXEC(00000006): processing AV
autocmd=access-enable host timeout 5
May 19 09:51:18.761 PST: AAA/AUTHOR/EXEC(00000006): Authorization
successful
I did the tests on a recent IOS release (12.2.15T1) so you may want to
check with an older IOS.
Thanks,
Fabrice
http://www.6colabs.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Chris Johnston
Sent: Monday, May 19, 2003 12:07 AM
To: 'Robert N Myhre'; ccielab@groupstudy.com
Subject: RE: Microsoft IAS for Radius
Hi Robert;
I use IAS all of the time for double authentication with the PIX VPN
clients. Works really well.
I too, have wished I could control certain access within the IOS gear
but have not been able to (easily) locate the configuration "stuff"
needed to make that happen.
What the IAS seems to lack is the ability to send back AV pairs to
handle the authorization. In this case, Microsoft has given us a
wonderful AA tool. Not AAA. (As in Authentication and Accounting, Not
Authentication, Authorization and Accounting).
Radius on most *NIX platforms will allow you to do Cisco AV pairs but it
requires a lot of mental jumping jacks to get there.
If you manage to figure out how to get IAS send back AV pairs to the IOS
gear, let us all know.
Then again, this sounds like an interesting challenge for this week.
Chris Johnston
714-306-5746
949-653-8819 (fax)
Cannot find REALITY.SYS. Universe halted.
-------------------------------------------------------------------
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Robert N Myhre
Sent: Saturday, May 17, 2003 12:34 PM
To: ccielab@groupstudy.com
Subject: Microsoft IAS for Radius
Has anyone used Microsoft's IAS server as a Radius server for logon
authentication and authorization?
I have the authentication piece working fine, but I cannot find a way to
get an autocommand to work properly based on the user credentials
supplied. Has anyone got this to work?
Thanks
Robert
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:45 GMT-3