MS IAS (radius) and authentication login

Unanswered Question
Feb 19th, 2007


I configure my cisco devices by

aaa new model

aaa authentication login group radiussrv local

config radiussrv group all is OK

but all users authenticated by radius have access to shell. but i need to give cisco shell access only to one group in AD... other groups are used to easyvpn xauth

how to separate them?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kaachary Mon, 02/19/2007 - 03:18


The required setting needs to be done on IAS.

On IOS, there's nothin much you can do.



kir_mischenko Mon, 02/19/2007 - 03:31

well i know this

can you help about it?

I have a strange situation - 2 ias policy one for admin group in AD, other for VPN users in AD... but the result is only authenticate or not... VPN users have acess to shell...

daviddtran Mon, 02/19/2007 - 03:41

I am not if radius can do this but I am not an

expert with radius.

This can be done with freeware tacacs very

easily throught authorization. I've done it

many times myself.


CCIE Security


This Discussion