000017963 - Cisco Router setup for implementing restricted service profile

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017963
Applies ToCisco Router
IssueCisco Router setup for implementing restricted service profile
ResolutionTwo authorization directives are required in the Cisco as follows:

aaa authorization network radius none
aaa authorization exec radius

The first line tells the cisco to use RADIUS authorization. This directs the Cisco to apply the contents of the RADIUS profile sent back with the Access-Accept packet that comes back with a successful authentication.

The second line tells the Cisco that if the RADIUS directive is not just something to setup the connection (such as 'use PPP protocol'), but in fact some kind of executive directive (such as 'Telnet to machine X'), then it should be allowed to do it.

These two lines setup the router to accept authorization requests from the RADIUS server only. This means that some kind of authorization attribute must be specified in a user's RADIUS profile on the RADIUS server for the user to be granted authorization.

NOTE: If the router is used in a live situation, then if authorization is added incorrectly, all dial-in users will start to fail to authorize and a denial of service will occur. This is because authorization is applied globally in the router.

Currently you are using a Default profile with no attributes defined in it. If the Cisco has authorization defined in it, this is a global definition which has an effect on all users who try to connect. Therefore, the authorization lines above tell the Cisco it has to receive its authorization parameters from RADIUS. But the RADIUS profile is empty so a null authorization comes back from the RADIUS server. This is interpreted as an Access-Reject and the user will fail authorization (in accordance with the RFC).

This means that there must be a suitable attribute in the RADIUS profile for the users. Currently, your users are logging into the Cisco and getting a Cisco prompt which then allows them to access other resources on the network. To authorise the users to do this, you need to add the attribute called Service-Type to the Default profile and the value it should have is Shell-User. In my profile I have only got this one attribute and it gives me authorised shell access to the cisco router.

Once this is done (and you see no effect since all the users have exactly the same rights as before), you need to create a profile that restricts the other users to the resources you wish to restrict them. So, for example, if you wished some users to telnet directly to a machine (, you would create a new profile (called something appropriate obviously) and setup the following attributes in it:

Login-IP-Host                (Tells the NAS which machine to connect to)
Login-Service        Telnet                        (Tells the NAS how to connect)
Service-Type        Login-User                (Tells the NAS to allow the user to login to the specified resource)

This profile (which I have on my machine) gives this situation (provided authorization is switched on). When a user connects to the Cisco, s/he gets authenticated and then connected to and presented with the login prompt of machine

So, in summary, to implement the solution, you need to do the following steps in sequence. I have tested the effects of using this sequence and there should be no detrimental effect.

Add the Service-Type attribute with the value Shell-User to the Default Profile

This is an authorization directive for the NAS to allow users to log into it. The NAS will ignore this directive until authorization is enabled on it. This will take effect on all users in the database currently since they do not have any profiles assigned to them.

Add the two following authorization lines into the NAS:

aaa authorization network radius none
aaa authorization exec radius

These lines enable access authorization on the NAS. You and your users should see no change in any of the services you or they currently enjoy.

Add the 'restricted' profile to the ACE/Server with the attributes as follows:

Login-IP-Host        <IP address of machine to login to - e.g.>
Login-Service        <Service you wish the user to use - e.g. Telnet>
Service-Type        <Service you require - e.g. Login-User>

Test the restricted profile assigned to a test user.
Assign the restricted profile to each of the restricted users in turn.

This should be the sum total of the work required. The initial group of restricted users is about 20 strong so assigning the restricted profile to them individually should only take a matter of minutes.
Legacy Article ID1.0.254139.2248413