My current employer is implementing RADIUS and has mentioned how we have to configure profiles on each device that will establish what commands each profile will have access to, like this:
Code: Select all
profile "ghost"
default-action permit-all
entry 1
match "configure"
action permit
exit
entry 2
match "show"
exit
entry 3
match "exit"
exit
exit
At my previous employer we used TACACS and I know we did not have to configure profiles. My hunch is there's something about the way TACACS and RADIUS work that makes it so that if you use TACACS you don't have to configure the profile locally. The down side of that is that every simgle command you type is sent to the TACACS server for approval, which can be very very slow if there are connectivity issues. The
documentation I've found seems to imply that (because it only includes configuring profiles under the RADIUS section but not under the TACACS section) but does not specifically state it. Has anyone configured both and can confirm this? It would save me the trouble of labbing it up. I can ask my Alcatel rep the next time we have a conference call too, but that won't be for another week or two.
I've also seen in
this document that you can configure profiles in your RADIUS dictionary like so:
Code: Select all
users.timetra
ruser1 Auth-Type := System, Password == "ruser1"
Service-Type = Login-User,
Idle-Timeout = 600,
Timetra-Access = console,
Timetra-Home-Directory = cf3:
Timetra-Restrict-To-Home = true
Timetra-Default-Action = permit-all,
Timetra-Cmd = "tools;telnet;configure system security",
Timetra-Action = deny
... however my boss said if you do this then you have to configure ALL users in the RADIUS dictionary, and the RADIUS server will only authenticate against the dictionary and will not authenticate against the Domain Controller. Has anyone managed to configure RADIUS to do both? Configure a user profile but still authenticate against the DC?
