05-19-2010 12:47 AM - edited 03-06-2019 11:09 AM
Hello,
I have managed to setup our routers so they use my Active Directory user account to logon I followed these instructons:
http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/
These instructions give me privilege 15, does anyone know how I can give say privilege 4 to another user?
Thanks
05-19-2010 01:19 AM
Hello,
I have managed to setup our routers so they use my Active Directory user account to logon I followed these instructons:
http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/
These instructions give me privilege 15, does anyone know how I can give say privilege 4 to another user?
Thanks
Hi,
Check out the below link for IAS radius configuration
http://www.tech-recipes.com/rx/1478/how-to-setup-ias-to-use-radius-to-authenticate-cisco-device/
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
05-19-2010 03:37 AM
Thanks I have followed that and although I can logon it seems the I get Priv 15 for both. Do I have to do anything on the routers to devide priv 1? I logged in using priv 1 account and I cound rename the router and write to the startup config, I don't think a priv 1 user could do that?
Thanks
05-19-2010 09:07 AM
Thanks I have followed that and although I can logon it seems the I get Priv 15 for both. Do I have to do anything on the routers to devide priv 1? I logged in using priv 1 account and I cound rename the router and write to the startup config, I don't think a priv 1 user could do that?
Thanks
Try Changing the shell:priv-lvl=15 to shell:priv-lvl=1 and then try are you able to login in your router with privillage 1 access or not !!
Hope to help !!
Ganesh.H
Remember to rate the helpful post
05-19-2010 09:14 AM
While you're logged in, do a "show priv". It will show you what your current privilege level is.
I don't know about IAS, but I use Steel Belted, and I can set up individual user accounts to be passed a certain privilege level. For example, if I have two users:
Bob: Priv 2
Mary: Priv 3
Supervisor: Priv 15
In their account on the radius server, I would set them up as individual accounts (or link them in AD), and the set their return attribute to shell:priv-lvl=2,3, or 15 respectively for the user. Then when they log into the router, they'd be at that level.
You do have to set up your privilege levels on the router though. If you don't want "show run" to run at say privilege 3, then move "show run" to privilege 4. It's a beating, but it'll be worth it in the end.
HTH,
John
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: