IAS/AAA Radius - priv levels

Unanswered Question
Feb 9th, 2009

I've got AAA radius authentication setup with IAS in lab, but I haven't been able to nail down the priv levels. I've got 2 remote access policies matching windows-groups & client-ip of the router in question. In both policies, I have service-type with value login and vendor-specific Cisco with value of shell:priv-lvl=7 for the 1st and shell:priv-lvl=15 for the 2nd. The policies are ordered that way (7 for the 1st, and 15 for the 2nd). I authenticate fine for test users in the group assigned to the 1st as well as the 2nd. However, I end up in exec mode. When I enter privileged mode for both, a sh priv tells me that I'm in priv 15.

How do I go about restricting access?

thanks,

Will

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
will.alvord Tue, 02/10/2009 - 08:35

Basically, I want to be able to have 2 users - 1 with priv 7 and 1 with priv 15.

In IOS, I could do that with the following:

username user7 privilege 7 secret cisco7

username user15 privilege 15 secret cisco15

I've got basic IAS Radius authentication working but no matter what privilege level I specify in the 'shell:priv-lvl=x' vendor specific attribute, that user elevates to priv 15 when entering enable.

Any ideas?

thanks,

Will

hunnetvl01 Sat, 02/14/2009 - 06:28

Hi ,

I have and IAS server but I can t get it to work with the 4506, actually it does not work with any device.

The strange fact is that seems to be working fine as my AD gets locked out after the 3rd failed attempt.

Can I have a short look at your policies confguration?

Thanks,

Vlad

will.alvord Tue, 02/17/2009 - 07:17

Sure thing. I haven't finalized the catos or pix/asa configs for this yet, but maybe you can help me out with that.

I have a need to limit access on a per device, per person basis, so I have 1 policy per access level and per device.

So, for priv 7 access to a router I have the following policy:

* policy conditions: windows group AND client-IP-Address matches [IP]

* Grant remote access

* Authentication tab - only unencrypted (pap, spap)

* Advanced tab - service-type = nas prompt, vendor-specific = shell:priv-lvl=7, reply-message for testing but may remove it.

Please note that the service-type attribute doesn't appear to matter. I've changed it as some writeups say to use login, while others say to use nas prompt. Either works, but I haven't tried removing it altogether. Also, the shell:priv-lvl=x string can be either a vendor-specific attribute or a Cisco-AV-Pair.

For the radius clients, I've tried both 'RADIUS Standard' as well as 'Cisco' and they both work fine.

If that doesn't fix it for you, try the aaa and radius debugs and check the IAS logs.

Hope that helps, and when you get it working could you please post your asa AAA configs?

thanks,

Will

Actions

This Discussion