Microsoft IAS 2003 login authentication issues

Answered Question
Sep 14th, 2008
User Badges:

I have searched and searched for an answer to this, but noghting seems to be working. I have IAS authenticating users for login authentication on a 1230ag AP and a 2950 switch using Active Directory for the user database. I have it working just fine except for the fact that I can't get the device and IAS to send the user directly to enable mode even after adding the "shell:priv-lvl=15" vendor attribute to the access policy. Will someone post the steps that have worked for them that allows AAA login authentication with local users database for a backup? Any help would be much appreciated. I should add that it only allows me level 1 access on the console, telnet, and web interface (on the AP) and I did a debug on the AAA process and though I didn't copy it to a txt file it looked as though the "shell:priv-lvl=15" was reaching the AP and the switch. Thanks.

Correct Answer by Premdeep Banga about 8 years 6 months ago

aaa authentication login CON local


line con 0

login authentication CON

privilege level 15


Regards,

Prem


Please rate if it helps!

Correct Answer by Premdeep Banga about 8 years 6 months ago

ip http server

ip http authentication aaa


Should take care of it.

Correct Answer by Premdeep Banga about 8 years 6 months ago

I get it, you have "Permanent" list applied on the device.


Add following command. If you make some changes in your configuration. I request you to also provide the configuration changes.


add the commands,

username privilege 15 password


radius-server host key

aaa authentication login default group radius local

aaa authorization exec default group radius local


line vty 0 4 or line vty 0 15

login authentication default

authorization exec default


Regards,

Prem


Please rate if it helps!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Premdeep Banga Mon, 09/15/2008 - 15:08
User Badges:
  • Gold, 750 points or more

Make sure you have following commands on switch/AP


username privilege 15 password


radius-server host key


aaa authentication login default group radius local

aaa authorization exec default group radius local


On you IAS server,


Choose the Service Type as Administrative. (Under Advanced Tab for a Radius Access Policy)


Regards,

Prem


Please rate if it helps!

sloov187 Mon, 09/15/2008 - 17:23
User Badges:

So instead of using the Service Type of Login I need to use the Service Type of Administrative? Do I still need to have the Cisco VA of "shell:priv-lvl=15" in the access policy? Also do I leave all of the RADIUS types in IAS set to Cisco or Radius Standard?


Thanks

Premdeep Banga Tue, 09/16/2008 - 03:46
User Badges:
  • Gold, 750 points or more

Have you tried this yet ?


You need Service type administrative. You can use cisco av pair to later on pass the custom/required privilege level, else it will automatically get privilege level 15.


Regards,

Prem


Please rate if it helps!

sloov187 Wed, 09/17/2008 - 13:54
User Badges:

After following your directions the following attached documents on the AAA debug and the telnet screen are what I get. Basically it looks like by using this method my request doesn't even reach the IAS sever even though I know I have the IP and the shared secret in properly.



Attachment: 
Premdeep Banga Wed, 09/17/2008 - 15:01
User Badges:
  • Gold, 750 points or more

"debug aaa authentication" wont help.


You need to get "debug radius"


Regards,

Prem

Premdeep Banga Wed, 09/17/2008 - 15:01
User Badges:
  • Gold, 750 points or more

Also as you are using authorization.


debug aaa authentication

debug aaa authorization

debug radius


Regards,

Prem

sloov187 Wed, 09/17/2008 - 19:03
User Badges:

Yes I did run a debug on all three and that was the output.

Correct Answer
Premdeep Banga Thu, 09/18/2008 - 03:23
User Badges:
  • Gold, 750 points or more

I get it, you have "Permanent" list applied on the device.


Add following command. If you make some changes in your configuration. I request you to also provide the configuration changes.


add the commands,

username privilege 15 password


radius-server host key

aaa authentication login default group radius local

aaa authorization exec default group radius local


line vty 0 4 or line vty 0 15

login authentication default

authorization exec default


Regards,

Prem


Please rate if it helps!

sloov187 Fri, 09/19/2008 - 10:14
User Badges:

Thanks Prem! That works perfectly. When I was trying it before I forgot to put the "authorization exec default" command in. Three more questions for you:


1. Using this method does it default back to the local list if the RADIUS server is unavailable?


2. How do I apply these same rules to the HTTP web interface?


3. What commands do I use if I want to set up a user group that I want to give a privilege level of something other than 15 to?


Thanks again!


Premdeep Banga Fri, 09/19/2008 - 10:27
User Badges:
  • Gold, 750 points or more

1. Using this method does it default back to the local list if the RADIUS server is unavailable?

Answer: Yes, using the local username/password configured on the device.


2. How do I apply these same rules to the HTTP web interface?

Answer :


ip http server

ip http authentication aaa


3. What commands do I use if I want to set up a user group that I want to give a privilege level of something other than 15 to?

Answer :


[Edit]Using cisco-av-pair i.e. shell:priv-lvl=n;


Where , n is the privilege level.

Regards,

Prem


Please rate if it helps!

sloov187 Fri, 09/19/2008 - 10:54
User Badges:

Do I leave the service type as Administrative for the different privilege levels or do I change it back to Login?

sloov187 Fri, 09/19/2008 - 10:57
User Badges:

Thanks for your help it has been much appreciated. I'll rate this post.

sloov187 Fri, 09/19/2008 - 15:13
User Badges:

Oops one more thing. How do I set it up to authenticate users in SDM?

Correct Answer
Premdeep Banga Fri, 09/19/2008 - 15:14
User Badges:
  • Gold, 750 points or more

ip http server

ip http authentication aaa


Should take care of it.

sloov187 Mon, 09/22/2008 - 12:22
User Badges:

Another question for you Prem. I'd like to keep the Console port to use local username and password. If I already have the console setup to use AAA, how do I get it to go back to strictly using the local list?


Thanks

Correct Answer
Premdeep Banga Mon, 09/22/2008 - 12:23
User Badges:
  • Gold, 750 points or more

aaa authentication login CON local


line con 0

login authentication CON

privilege level 15


Regards,

Prem


Please rate if it helps!

sloov187 Sat, 10/04/2008 - 10:50
User Badges:

Prem,


The switches and access points are all working great, but now I am having issues with SDM on my routers. SDM works fine using RADIUS as long as I leave the console port set to authenticate through AAA, but as soon as I set it to use the local login CON profile I can still get in through the vty and console interfaces using RADIUS or local credentials, but SDM will not accept the local username and password or the AD credentials through RADIUS. My question is, what do the console port settings have to do with the ip http server settings? Why will SDM only authenticate when I have the console port set AAA?


Thanks

Actions

This Discussion