Support Center > Search Results > SecureKnowledge Details
RBA roles for RADIUS authentication with Cisco ACS are not enforced correctly on Gaia OS
Symptoms
  • Users authenticated on Gaia OS through external RADIUS server on Cisco ACS do not have the correct access permissions as were assigned to their RBA role (users are able to access more than their RBA role allows).

  • /var/log/messages file and /var/log/secure file on Gaia OS show:

    1. The correct RBA role is being granted to the users authenticating via RADIUS
    2. The "radius-group-any" RBA role is being granter in addition to the correct RBA role
Cause

There is a special RADIUS role called "radius-group-any", which is assigned automatically by default to every user that successfully authenticates to Gaia OS via RADIUS.
If this role "radius-group-any" is present in the list of roles configured in Gaia OS, then the features included in this role will be assigned to every user authenticated through RADIUS as well, which might conflict with the original intended role for the user.


Solution

Follow these steps:

  • Check the /var/log/secure file on Gaia OS.

    This file shows the roles that were assigned to the user on his last login attempt.
    Depending on the Cisco ACS configuration, more than one role can be assigned to users.
    The original intended role should be assigned, and in addition we would see the role "radius-group-any" assigned as well, even though the RADIUS server on Cisco ACS does not have this role configured for the user attempting to log in to Gaia OS.
  • Check if the role "radius-group-any" is listed in Gaia OS.

    • In Gaia Portal:

      Go to "User Management" section - click on "Roles"
    • In Gaia Clish:

      run either:
      show rba roles
      or:
      show rba role radius-group-any

    Check the features and extended commands that the role "radius-group-any" includes.
    These features and commands will be assigned to every user authenticated through RADIUS.

  • The role "radius-group-any" can be modified to include the required features and commands, or it can be deleted from Gaia OS, if it is not being used elsewhere.

After deleting the role "radius-group-any", the /var/log/secure file would still show that users logging into Gaia OS through external RADIUS are assigned this role "radius-group-any", but they will not get any features or commands from this role, and the original role that was created for user authentication with the intended features will be enforced.

 

Related solutions:

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment