Say you want to give a network admin access to a Cisco router via telnet with Radius authentication (user account is stored in AD).
The network admin is not a system admin so he does not have administrator rights on the AD domain but it has to have level 15 access to all Cisco devices.
Here is the configuration of the router (tested on Cisco 1800 Series)
enable secret 5 ############
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
privilege configure level 7 snmp-server host
privilege configure level 7 snmp-server enable
privilege configure level 7 snmp-server
privilege exec level 7 ping
privilege exec level 7 configure terminal
privilege exec level 7 configure
line con 0
password 7 ############
line aux 0
line vty 0 4
password 7 ############
transport input telnet
session-timeout 60
Quick description:
enable secret 5 - password for admin level to restrict the use of "enable" command
aaa new-model - start the AAA configuration
aaa authentication login default group radius local - login authentication is done by the AAA mechanism in the following fasion:
- first the default authentication group is used (I did not create my own authgroup for this example) and checked by a Radius server
- if the server does not respond (and only then) - local user database is checked
The next set of commands is to create a new priviledge level. In Cisco IOS the admin level is 15. It has the full right on any hardware. Lower level must be defined before can be used.
In this case I created a 7th level of access with right to execute ping, enter configuration options and configure SNMP settings.
line vty 0 4 - telnet connection configuration (total of 5 lines - from 0 to 4)
Now for the Windows 2008 Server R2 side:
Network policy for level 15:
- Windows Group: NetAdmins
- Standard Attributes: 7 (Framed Protocol) - PPP, 6 (Service Type) - NAS Prompt
- Cisco Attributes AV-Pair: shell:priv-lvl=15
- Windows Group: SomeoneElse
- Standard Attributes: 7 (Framed Protocol) - PPP, 6 (Service Type) - NAS Prompt
- Cisco Attributes AV-Pair: shell:priv-lvl=7
Now when logging via telnet users belonging to NetAdmin group gain full access to router (without the need for "enable" command) while users from SomeoneElse group have only level 7.
If the other user would want the full access he would have to know the secret password