turn on suggestions
![]() Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
|
03-26-2012 10:21 AM
I have been looking through the site at different discussions about getting fws switches working with the NPS server in 2k8 R2. I have tried the steps other users were able to follow to get the correct access and have been unable to get the same results. Following are my setup parameters in the server and the switch. I would like to have any user in the user level run any of the commands and any user in the privelege mode run all commands and config mode commands. Any help would be appreciated.
Server radius settings:
user level network policy
"conditions" tab:
windows groups set to group of users to have read only priveleges
"settings" tab:
standard attributes -- "framed-protocol = PPP" "Service-type=Framed"
Vendor Specific:
1991 -- Decimal -- 5
1991 -- String -- *
1991 -- Decimal -- 0
privelege level network policy
"conditions" tab:
windows groups set to group of users to have privelege mode and conf mode priveleges
"settings" tab:
standard attributes -- "framed-protocol = PPP" "Service-type=Framed"
Vendor Specific:
1991 -- Decimal -- 0
1991 -- String -- *
1991 -- Decimal -- 0
FWS648G setup:
OS: 07.3.00T7e1
! I've left the secondary login option off on purpose for testing.
radius-server host xxx.xx.xxx.xx
radius-server host xxx.xx.xxx.xx
radius-server key 1 *******************
radius-server retransmit 2
radius-server timeout 5
Logging in with a user in the user privelge mode, I get a successful auth and am dumped at the user prompt:
user@cs-test>
Logging in with a user in the higher privelege mode, I get the same prompt:
user_admin@cs-test>
It should be:
user_admin@cs-test#
If I read the FastIron_07300_Guide correctly, all of those should add up to my basic user and super user dumping into their respective roles. Am I missing something or doing something wrong? I've run packet captures to see the values being sent and returned and everything looks right but I'm not an expert at aaa by any means.
Thank you,
Ben
03-27-2012 12:01 PM
It looks like I may have this working by following the information you have and what's in this article; http://www.brocade.com/support/Product_Manuals/ServerIron_AdminGuide/security.3.7.html
When I assigned the Vendor-Specific attributes, I specified the Vendor Code: 1991, Vendor-Type - 1 and attribute value of 0 (super user) or 5 (read only) for each network policy. I didn't use the string "*" or the second decimal "0". I also didn't notice a difference the the prompts between the users (both ended with a #) - this may be due to to our config (aaa authenctication login privilege-mode) but the "read only" user cannot execute a "conf t" command. Hope this helps....
03-27-2012 12:26 PM
That definitely is what I was looking for.
"I also didn't notice a difference the the prompts between the users (both ended with a #)". That statement is the key I think to what I was hvaing issues with. I was under the impression users would dump into the > prompt instead of the # prompt. I tested what you did with the instructions from that link and replicated the non-uber user having basic commands and no conf mode. I then tested with my setup for uber user and had all commands available and conf mode. Thank you so much for your help.
03-27-2012 12:33 PM
No problem. What I'm stuck on now is trying to use an "Encrypted Authencation" (CHAP/MS-CHAP/MS-CHAP v2) instead of unencrpyted (PAP, SPAP)...
03-27-2012 01:01 PM
Good luck with that! I read a bit into the fips and getting CHAP working and decided we didn't need it that badly.
01-12-2015 02:26 PM