1

Related to Authenticate ssh key via Cisco ACS (TACACS+)

Given a working ssh public key config:

ip ssh pubkey-chain username admin key-string <ssh-pub-key> exit exit

I have only been able to provide authorization for the above with an additional username entry:

username admin privilege 15

Nice to discover that you can leave off the secret part, but is there a way to have the cisco query the radius for the privilege level? and/or combine the authorization into the pubkey-chain?

Improve this question
5
  • RADIUS is limited, but you can do what you want with TACACS. Commented Sep 1, 2016 at 14:16
  • @RonMaupin Do you have a reference? Or a search string? Commented Sep 1, 2016 at 14:28
  • Unfortunately, resource recommendations are off-topic, but you can just search for TACACS. Commented Sep 1, 2016 at 14:29
  • "TACACS+ is a CISCO designed extension to TACACS that encrypts the full content of each packet. Moreover, it provides granular control (command by command authorization)." Commented Sep 1, 2016 at 14:31
  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could provide and accept your own answer. Commented Aug 15, 2017 at 1:32

3 Answers 3

Reset to default
1

If the radius server supports cisco av-pair attributes then you can configure it to push:

cisco-avpair =shell:priv-lvl=15

Note that this requires authorization to be enabled in addition to authentication.

Src: How to Assign Privilege Levels with TACACS+ and RADIUS

Improve this answer
0

Here's a great link for Windows 2012r2 and cisco. I know it's not great to just supply a link but it's so helpful I wanted to share. If I could do a comment instead I would.

Link for server 2012r2 and Cisco

Improve this answer
1
  • sadly, this link has no mention of ssh keys... Commented Sep 6, 2016 at 23:51
0

To provide an answer to silence this question: Ron Maupin provided the best clue. Basically you can't use RADIUS to provide ssh keys.

TACACS is a very nice protocol; but it won't work because not enough non-cisco devices will use it.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.