Giving read-only access on Cisco IOS-XE with RADIUS authentication

Had a simple but time-consuming problem today.  Our Cisco IOS-XE 16.12 routers authenticate to AD via RADIUS to Microsoft NPS, with certain AD group(s) having admin privileges.  On the router side, configuration looks like this, where is the NPS server:

aaa group server radius MyRADIUS
 server-private auth-port 1812 acct-port 1813 key 0 abcd1234
 ip vrf forwarding Mgmt-intf
aaa new-model
aaa session-id common
aaa authentication login default local group MyRADIUS
aaa authentication enable default none
aaa authorization config-commands
aaa authorization exec default local group MyRADIUS if-authenticated

In NPS, I have a policy to match the appropriate Windows Group with Authentication Type = PAP and NAS Port Type = Virtual.  In the Settings tab, I then have this Vendor Specific RADIUS Attribute:

Name: Cisco-AV-Pair
Vendor: Cisco
Value: priv-lvl=15

This allows users in this group to SSH to any router and immediately have privilege level 15, which gives them full admin access.

Now and I needed to give a certain AD group read-only access to view running-configuration.  So I create a new policy matching to that AD group, and in the RADIUS attributes, under Vendor Specific, I add this one:

Name: Cisco-AV-Pair
Vendor: Cisco
Value: priv-lvl=7

The test account could then SSH to the router and verify privilege level was 7:

Router#show priv
Current privilege level is 7

I then downgraded privileges on each router so that only level 3 was required to view running-config:

privilege exec level 3 show running-config view full
privilege exec level 3 show running-config view
privilege exec level 3 show running-config
privilege exec level 3 show

But, when doing “show running-config”, they would just get a nothing back in return.  As it turns out I needed one more step; lowering the privilege for viewing files on the router

file privilege 3

Now it works:

Router#show running-config view full
Building configuration...

Current configuration : 15124 bytes
! Last configuration change at 15:39:15 UTC Tue Mar 17 2020 by admin
! NVRAM config last updated at 15:39:21 UTC Tue Mar 17 2020 by admin
version 16.12
service timestamps debug datetime msec
service timestamps log datetime localtime show-timezone
service password-encryption
no service dhcp
service call-home



Palo Alto User Identification and Group Mapping Caveats

I wanted to write a firewall rule to allow only Active Directory group(s) to access a given zone, destination IP, or service.  Since the users would be connected directly to the Palo Alto via GlobalProtect, user tracking was already happening.  The clients are in source zone “Trust” and user identification was already checked.

I followed the steps in this KB article to configure group mapping but found two major gotchas.  In the Authentication Profile, the user domain must be entered.  After doing this, users began showing up as domain\username rather than just username.  Secondly, in the group mapping configuration, user domain needed to be blank.

I can now write a rule with mydomain\group as the source user.

Common gotchas

In the source zone, make sure the User-ID option is checked.


In Device -> Server Profiles -> LDAP, set the base DN to something at a higher level than all the groups, and set the Bind DN to an account with privileges to lookup group membership.


In Device -> Authentication Profile, set User Domain to the abbreviated AD domain


Under Device -> User Identification -> Group Mapping Settings tab, leave the User Domain field blank.


Useful troubleshooting commands

Check user to IP address mapping table

show user ip-user-mapping all

Get list of LDAP groups

show user group-mapping state all

Check group membership for a certain LDAP group

show user group name mydomain\myGroup