Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1069
Views
0
Helpful
4
Replies

Assigning privilege level using Radius

sweeann
Level 1
Level 1

‎11-13-2006 12:53 AM - edited ‎03-10-2019 02:50 PM

I'm trying to assigned a privilege level on a Cisco router via Radius. I'm using the Cisco Secure ACS (Windows 2K).

I have set the privilege level to 15. But when I telnet to the router, I always get the router> prompt instead of the router# prompt.

How can I configured the Radius/router so that when I get successfully authenticated, the router# prompt is shown.

I've configured the router as below:

aaa authentication login vtymethod group radius enable

aaa authorization exec vtymethod group radius local

radius-server host 202.x.x.195 auth-port 1645 acct-port 1646 key cisco

line vty 0 4

authorization exec vtymethod

login authentication vtymethod

!

On the Radius, I've configured as below:

In the group settings for IETF Radius attributes, the Service-Type is set to Nas Prompt.

Also in the group settings, I've checked the Cisco-av-pair with the following configured: shell:priv-lvl=15.

Is there something I'm missing.

Appreciate the help.

Thanks.

sweeann

Labels:
0 Helpful
4 Replies 4

dmholmes000
Level 1
Level 1

‎11-13-2006 11:29 AM

I believe adding the following line to your AAA configuration will allow a user authenticated through ACS to login directly to enabled mode:

aaa authorization exec vtymethod group radius if-authenticated

Hope this helps,

-d

0 Helpful

sweeann
Level 1
Level 1
In response to dmholmes000

‎11-13-2006 05:21 PM

Tried the suggestion above but I'm still getting the router> prompt instead of going directly to enable mode.

Thanks,

sweeann

0 Helpful

sweeann
Level 1
Level 1
In response to sweeann

‎11-13-2006 06:52 PM

Just an update:

I've configured wrongly on the network configuration in the ACS. I've chosen Radius (IETF) instead of Radius (Cisco IOS/PIX). Once I changed it to Radius (Cisco IOS/PIX) I was able to assigned the privilege level.

Thanks all,

sweeann

0 Helpful

darpotter
Level 5
Level 5
In response to sweeann

‎11-14-2006 02:39 AM

Hi

Im curious... what is the perceived benefit of using RADIUS instead of TACACS+ ?

Given that ACS supports both and that T+ is a superior protocol for device admin.

I once heard someone mutter that T+ was proprietry... but all they were doing was sending (effectively) T+ av-pairs via a Cisco RADIUS VSAs. Not significantly different one could argue!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents