Just learning AAA and I'm struggling with one thing. I've got a RADIUS server set up and switches/routers authenticate to it. Everything's working fine.
As a safety measure I've got a local account set up as well, just in case both RADIUS servers are down.
I was able to configure them to log on users directly to privileged mode, which is quite convinient. However when I log on using the local account I'm in the privileged mode as well.
Is there a way to configure a switch/router to log on users who authenticated through RADIUS server directly to enable mode, but if a user logs on using a local account it will be in exec mode and will have to enter a password to access privileged mode?
Here's my configuration:
aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa authorization exec default group radius local
enable secret 5 <...>
username testlocal privilege 15 password 7 <...>
ip radius source-interface Vlan150
radius-server host 192.168.10.2 auth-port 1812 acct-port 1813 key 7 <...>
radius-server host 192.168.17.2 auth-port 1812 acct-port 1813 key 7 <...>
radius-server retransmit 3