Privilege levels and radius

Unanswered Question
Dec 5th, 2008

I have configured radius authenication and have 2 types of users - 15 - all access and 2 limited access.

The problem I am experiencing is controlling enable mode access.

If the radius server stops then the default username Test1 is used and although I have configured it for level 15 it is always level 1 when you show privilege. From there you can go to enable mode. Which is what I want. (is that best practice?)

When radius server is up, then Test2 can login and gets privelege level 2 with limited commands. Except that you can access the enable mode. I tried

'privilege exec level 10 enable' but then the Test1 cannot get enable mode.

I tried 'aaa authentication enable default group radius enable' and it goes to the radius server to get authenication for enable password but I want to stop Test2 from being able to use the enable command and getting a password request.

Any clues how to do this?

enable secret 5 xxxxxxxx

!

username Test privilege 15 password 7 xxxxxx

aaa new-model

!

!

aaa authentication login radius-login group radius local

aaa authentication enable default group radius enable

aaa authorization console

aaa authorization exec default group radius if-authenticated

aaa authorization network default group radius

aaa accounting exec default start-stop group radius-login

aaa accounting network default start-stop group radius-login

aaa accounting system default start-stop group radius-login

radius-server host x.x.x.x auth-port 1812 acct-port 1813

radius-server key 7 yyyyyyyyyy

privilege exec level 2 traceroute

privilege exec level 2 ping

privilege exec level 2 clear counters

privilege exec level 2 show interfaces

privilege exec level 1 show privilege

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
mchin345 Thu, 12/11/2008 - 10:03

The privilege level for certain commands, and provides an example with parts of sample configurations for a router and TACACS+ and RADIUS servers.

By default, there are three privilege levels on the router.

- Privilege level 1 = non-privileged (prompt is router>), the default level for logging in

- Privilege level 15 = privileged (prompt is router#), the level after going into enable mode

- Privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout

Levels 2-14 are not used in a default configuration, but commands that are normally at level 15 can be moved down to one of those levels and commands that are normally at level 1 can be moved up to one of those levels. Obviously, this security model involves some administration on the router.

For further information click this link.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml

Actions

This Discussion