The RADIUS protocol combines user authentication and authorization steps into one phase. The user must be successfully authenticated before the RADIUS server will send authorization information from the user's profile to the Network Access Server (NAS). After user authentication has occurred, the authorization information provided by the RADIUS server is stored on the NAS for the duration of the user's session. Changes in the user's authorization profile during this time will not be effective until after the next authentication occurs.
You can limit the services for a user by enabling AAA RADIUS authorization. The NAS uses the information set up on the RADIUS server to control the user's access to CLI commands.
The authorization type implemented on the switches is the "commands" method. This method explicitly specifies on the RADIUS server which commands are allowed on the client device for authenticated users. This is done on a per-user or per-group basis.
|
|
|
![[NOTE: ]](images/note.gif) |
NOTE: The commands authorization will only be executed for commands entered from Telnet, SSH, or console sessions. The Web management interface is not supported. |
|
|
By default, all users may execute a minimal set of commands regardless of their authorization status, for example, "exit" and "logout". This minimal set of commands can prevent deadlock on the switch due to an error in the user's authorization profile on the RADIUS server.
To control access to the CLI commands, enter this command at the CLI.
Syntax:
Configures authorization for controlling access to CLI commands. When enabled, the switch checks the list of commands supplied by the RADIUS server during user authentication to determine if a command entered by the user can be executed.
local: Use local groups as the authorization method.
radius: The NAS requests authorization information from the RADIUS server. Authorization rights are assigned by user or group.
For example, to enable the RADIUS protocol as the authorization method:
When the NAS sends the RADIUS server a valid username and password, the RADIUS server sends an Access-Accept packet that contains two attributes the command list and the command exception flag. When an authenticated user enters a command on the switch, the switch examines the list of commands delivered in the RADIUS Access-Accept packet as well as the command exception flag, which indicates whether the user has permission to execute the commands in the list. See Configuring commands authorization on a RADIUS server.
After the Access-Accept packet is delivered, the command list resides on the switch. Any changes to the user's command list on the RADIUS server are not seen until the user is authenticated again.
Some RADIUS-based features implemented on HP switches use HP VSAs for information exchange with the RADIUS server. RADIUS Access-Accept packets sent to the switch may contain the vendor-specific information.
The attributes supported with commands authorization are:
-
HP-Command-String: List of commands (regular expressions) that are permitted (or denied) execution by the user. The commands are delimited by semi-colons and must be between 1 and 249 characters in length. Multiple instances of this attribute may be present in Access-Accept packets. (A single instance may be present in Accounting-Request packets.)
-
HP-Command-Exception: A flag that specifies whether the commands indicated by the HP-Command-String attribute are permitted or denied to the user. A zero (0) means permit all listed commands and deny all others; a one (1) means deny all listed commands and permit all others.
The results of using the HP-Command-String and HP-Command-Exception attributes in various combinations are shown below.
HP command string and exception
| HP-command-string | HP-command-exception | Description |
|---|---|---|
| Not present | Not present | If command authorization is enabled and the RADIUS server does not provide any authorization attributes in an Access-Accept packet, the user is denied access to the server. This message appears: "Access denied: no user's authorization info supplied by the RADIUS server." |
| Not present | DenyList-PermitOthers(1) | Authenticated user is allowed to execute all commands available on the switch. |
| Not present | PermitList-DenyOthers(0) | Authenticated user can only execute a minimal set of commands (those that are available by default to any user). |
| Commands List | DenyList-PermitOthers(1) | Authenticated user may execute all commands except those in the Commands list. |
| Commands List | PermitList-DenyOthers(0) | Authenticated user can execute only those commands provided in the Commands List, plus the default commands. |
| Commands List | Not present | Authenticated user can only execute commands from the Commands List, plus the default commands. |
| Empty Commands List | Not present | Authenticate user can only execute a minimal set of commands (those that are available by default to any user). |
| Empty Commands List | DenyList-PermitOthers(1) | Authenticated user is allowed to execute all commands available on the switch. |
| Empty Commands List | PermitList-DenyOthers(0) | Authenticate user can only execute a minimal set of commands (those that are available by default to any user). |
You must configure the RADIUS server to provide support for the HP VSAs. There are multiple RADIUS server applications; the two examples below show how a dictionary file can be created to define the VSAs for that RADIUS server application.
It is necessary to create a dictionary file that defines the VSAs so that the RADIUS server application can determine which VSAs to add to its user interface. The VSAs will appear below the standard attributes that can be configured in the application.
The dictionary file must be placed in the proper directory on the RADIUS server. Follow these steps.
Create a dictionary file (for example, hp.ini) containing the HP VSA definitions, as shown in the example below.
;[User Defined Vendor] ; ; The Name and IETF vendor code and any VSAs MUST be unique. ; ; One or more VSAs named (max 255) ; ; Each named VSA requires a definition section... ; ; Types are STRING, INTEGER, IPADDR ; ; The profile specifies usage, IN for accounting, OUT for authorization, ; MULTI if more than a single instance is allowed per RADIUS message. ; Combinations are allowed, e.g. "IN", "MULTI OUT", "MULT IN OUT" ; ; Enumerations are optional for INTEGER attribute types [User Defined Vendor] Name=HP IETF Code=11 VSA 2=Hp-Command-String VSA 3=Hp-Command-Exception [Hp-Command-String] Type=STRING Profile=IN OUT [Hp-Command-Exception] Type=INTEGER Profile=IN OUT Enums=Hp-Command-Exception-Types [Hp-Command-Exception-Types] 0=PermitList 1=DenyListCopy the hp.ini dictionary file to c:\program files\cisco acs 3.2\utils (or the \utils directory wherever acs is installed).
From the command prompt execute the following command:
c:\Program files\CiscoSecure ACS v3.2\utils> csutil -addudv 0 hp.iniThe zero (0) is the slot number. You will see some processing messages:
Adding or removing vendors requires ACS services to be re-started. Please make sure regedit is not running as it can prevent registry backup/restore operations. Are you sure you want to proceed? (Y or N) y Parsing [.\hp.ini] for addition at UDV slot [0] Stopping any running services Creating backup of current config Adding Vendor [HP} added as [RADIUS (HP)] Done Checking new configuration... New configuration OK Re-starting stopped servicesStart the registry editor (regedit) and browse to HKEY_LOCAL_MACHINE\software\cisco\CiscoAAA v3.2\NAS Vendors tree.
Cisco adds the entry into this tree for each custom vendor. The id is 100 + the slot number used in the previous command (100 + 0, as it was added in slot 0). Look in the key to verify the vendor name and id.
Right-click and then select New > key. Add the vendor Id number that you determined in step 4 (100 in the example).
The newly created HP RADIUS VSA appears only when you configure an AAA client (NAS) to use the HP VSA RADIUS attributes. Select Network Configuration and add (or modify) an AAA entry. In the Authenticate Using field choose RADIUS(HP) as an option for the type of security control protocol.
Select
Submit + Restartto effect the change. The HP RADIUS VSA attributes will appear in Cisco ACS configurations, for example, "Interface Configuration", "Group Setup", "User Setup".
To enable the processing of the HP-Command-String VSA for RADIUS accounting:
Select CSV RADIUS Accounting. In the Select Columns to Log section, add the HP-Command-String attribute to the Logged Attributes list.
Select Network Configuration. In the AAA Clients section, select an entry in the AAA Client Hostname column. You will go to the AAA Client Setup screen.
Check the box for Log Update/Watchdog Packets from this AAA Client.
Click
Submit + Restart. You should be able to see the HP-Command-String attribute in the RADIUS accounting reports.Enter the commands you wish to allow or deny with the special characters used in standard regular expressions (c, ., \, list], ^list], *, ^, $). Commands must be between 1-249 characters in length.
Create a dictionary file (for example, dictionary.hp) containing HP VSA definitions. An example file is:
Find the location of the dictionary files used by FreeRADIUS (try
/usr/local/share/freeradius).Copy dictionary.hp to that location. Open the existing dictionary file and add this entry:
You can now use HP VSAs with other attributes when configuring user entries.
