×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.
mhoda Tue, 07/01/2003 - 09:42
User Badges:
  • Silver, 250 points or more

Hello,


Yes, thats possible. You just need create the user profile on Radius server and then point all 6 routers to this same server. Here is the most basic form of config on the router -


aaa new-model

aaa authentication login default group radius local


radius-server host 10.1.1.1 key cisco


username cisco pass cisco --->This is needed for back door just incase if the Radius server is down.


Regards,


Mynul

sagittarius Wed, 07/02/2003 - 08:06
User Badges:

Hi


I was able to successfully login to the router, but how can i configure to log in directly to enable prompt


Can i configure Privileges on RADIUS without ACS ?


ywadhavk Wed, 07/02/2003 - 08:40
User Badges:
  • Cisco Employee,

Hi Saggi,


Didn't really understood your part of the Q " RADIUS without ACS". Do you mean local configuration?


Here's some more info with config example.


aaa new-model

aaa authentication login default [group] local

aaa authorization exec default [group] local


Make sure to create the local user database as follows:


username abc privilege 0 password abc

username xyz privilege 1 password xyz

username special privilege 5 password special

username superuser privilege 15 password super


With the above setup, user abc can execute only disable, enable, exit, help, and logout commands.


User xyz can execute all the level 0 and level 1 commands.

User superuser can execute all the commands on the router.


On the router these are the 3 level of default commands:


-privilege level 0 — includes the disable, enable, exit, help, and logout commands

- privilege level 1 — normal level on Telnet; includes all user-level commands at the router> prompt

- privilege level 15 — includes all enable-level commands at the router#

prompt


Now based on your requirement, you can create a priv level bewteen 2-14 and assign any priv level 15 commands (level 0 and 1 would be inherited by default). Here is an example:




With this, user six is only able to execute all the level 0 & 1 commands. If the user need to execute "config t" on the router, he has to add the following line to add this level 15 commans to level 6.


privilege exec level 5 configure terminal

privilege exec level 5 gatekeeper

privilege exec level 5 write memory


thanks,

yatin

mhoda Wed, 07/02/2003 - 09:01
User Badges:
  • Silver, 250 points or more

Hi,


Yes, it is possible. All you need is the following line on the router -


aaa authorization exec default group radius


In IAS, you need to make sure that you assign priv-lvl to from 2 to 15 in your IAS server. That will take you to the privilege mode directly.


Regards,



Mynul

Actions

This Discussion