I have an ACE module running virtual contexts. I have configured the ACE contexts to authenticate against a RADIUS server (Windows IAS).
When I log in, I am always given the role of 'network-monitoring'. I would like to configure the RADIUS server so it authenticates users as 'Admin'.
Attached is a screeprint of the RADIUS clients set up on IAS (client names and IP addresses removed). The question here is if they should be configured as 'RADIUS Standard' or 'Cisco' in the 'Client-Vendor' field.
Also attached is a screenshot of the IAS 'Remote Access Policy' that i have set up for the network devices (these include the ACE contexts aswell as Switches and FWSM contexts). The question here is whether I need both the 'Vendor-Specific' and 'Cisco-AV-Pair' attributes. Also, how do I need to configure these attributes so they will authenticate the Switches, Routers and FWSM contexts (allowing enable level 15) and authenticate the ACE contexts (allowing the 'Admin' role).
I have also attached the RADIUS config lines that have been configured on the ACE contexts (IP address of server removed).
I would appreciate any input.
the magic line is.
aaa authentication enable default group radius-grp enable
If you find a way to transport the "enable flag" via RADIUS you could do that. We decided that an authenticated user should go directly into enable mode.
Therefore you should/could configure following.
aaa authentication login default group radius-grp local <- stays the same
aaa authentication enable default none <- changed from your configuration
That results in not being asked for the enable password.
With TACACS+ you could configure something like you did as the ACS is able to pass the "enable flag".
For RADIUS as i mentioned you could probably also send a "shell:" command but i haven't had any pressure to investigate into that so far.
If your problem is solved just flag the Thread as solved and Rate if possible.
Hope it helps