I've got AAA radius authentication setup with IAS in lab, but I haven't been able to nail down the priv levels. I've got 2 remote access policies matching windows-groups & client-ip of the router in question. In both policies, I have service-type with value login and vendor-specific Cisco with value of shell:priv-lvl=7 for the 1st and shell:priv-lvl=15 for the 2nd. The policies are ordered that way (7 for the 1st, and 15 for the 2nd). I authenticate fine for test users in the group assigned to the 1st as well as the 2nd. However, I end up in exec mode. When I enter privileged mode for both, a sh priv tells me that I'm in priv 15.
How do I go about restricting access?