Skip to main content
Start a Conversation

Unsolved

Andrius4

1 Rookie

 • 

2 Posts

3132

February 23rd, 2022 02:00

Using Radius to set role based privilege-level users on S4148T-ON 10.5.2.

Hello,

We are trying to use Radius (Using FreeRadius specifically) for centralized user access management into our Dell S4148T-ON switches (Running 10.5.2.8 version), but have issues trying to find documentation on how to properly setup RBAC with the use of Vendor Specific Attributes with Radius.

The configuration that I have is fairly straight forward and works for basic auth:

aaa authentication login default group radius local

radius-server host **** key ****

Since I can't find any official documentation on what VSAs can be used in OS10, on older forum posts and older OS documentation I've found 3 options that seemingly worked on some hardware/software some time ago:

Cisco-avpair = "shell:priv-lvl=15"

Force10-avpair = "shell:priv-lvl=15"

DellEMC-avpair = "shell:priv-lvl=15"

When sending any of these in the Access-Accept response from the Radius server to switch, the user still only gets the lowest privilege level assigned.

According to this post Using-RADIUS-VSAs-for-RBAC - the solution is to enable authorization for radius, but on OS10 I don't seem to have this option for Radius, only for TACACS+:

Switch1(config)# aaa authorization exec-commands role sysadmin default group ?
tacacs+ To configure for tacacs server

That seemed like a possibility in OS9 according to documentation - configure-aaa-authorization-for-roles 

So my questions would be: 

  • What are the supported VSAs that need to be sent in Radius responses to a switch running OS10?
  • How can AAA authorization be enabled with Radius in OS10?

DELL-Marco B

Moderator

 • 

4K Posts

February 23rd, 2022 09:00

Hello,

you can follow here for the AAA authorization

https://dell.to/3p9yOBn

 

also here some documentation about RADIUS on OS10

https://dell.to/3JPNNZa

 

also for AAA authentication and VSA, here

https://dell.to/3JPBR9A

 

I hope this doc helps.

Thanks
Marco

Andrius4

1 Rookie

 • 

2 Posts

February 24th, 2022 06:00

Hello,

 

Your provided link for AAA authorization is for OS version 9.14.2.5 and is not applicable for OS version 10.5.2.8 as there is no option for commands:

aaa authorization role-only
line vty 1
login authentication test
authorization exec test

Could you please send exact commands on how to configure RADIUS authorization on OS10?

The link https://dell.to/3JPBR9A only shows how to use Cisco ISE to send a VSA, but does not exactly say what string needs to be sent in the Radius response from the Radius server too.

Thank you,

Andrius 

DELL-Marco B

Moderator

 • 

4K Posts

February 24th, 2022 10:00

Hello,

here the guide, page 1316

https://dell.to/3sgUwFB

 

Thanks

Marco

 

Was this post helpful?

View All

0 events found

No Events found!

Top