Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Assigning privilege level using Radius

I'm trying to assigned a privilege level on a Cisco router via Radius. I'm using the Cisco Secure ACS (Windows 2K).

I have set the privilege level to 15. But when I telnet to the router, I always get the router> prompt instead of the router# prompt.

How can I configured the Radius/router so that when I get successfully authenticated, the router# prompt is shown.

I've configured the router as below:

aaa authentication login vtymethod group radius enable

aaa authorization exec vtymethod group radius local

radius-server host 202.x.x.195 auth-port 1645 acct-port 1646 key cisco

line vty 0 4

authorization exec vtymethod

login authentication vtymethod

!

On the Radius, I've configured as below:

In the group settings for IETF Radius attributes, the Service-Type is set to Nas Prompt.

Also in the group settings, I've checked the Cisco-av-pair with the following configured: shell:priv-lvl=15.

Is there something I'm missing.

Appreciate the help.

Thanks.

sweeann

4 REPLIES
Community Member

Re: Assigning privilege level using Radius

I believe adding the following line to your AAA configuration will allow a user authenticated through ACS to login directly to enabled mode:

aaa authorization exec vtymethod group radius if-authenticated

Hope this helps,

-d

Community Member

Re: Assigning privilege level using Radius

Tried the suggestion above but I'm still getting the router> prompt instead of going directly to enable mode.

Thanks,

sweeann

Community Member

Re: Assigning privilege level using Radius

Just an update:

I've configured wrongly on the network configuration in the ACS. I've chosen Radius (IETF) instead of Radius (Cisco IOS/PIX). Once I changed it to Radius (Cisco IOS/PIX) I was able to assigned the privilege level.

Thanks all,

sweeann

Silver

Re: Assigning privilege level using Radius

Hi

Im curious... what is the perceived benefit of using RADIUS instead of TACACS+ ?

Given that ACS supports both and that T+ is a superior protocol for device admin.

I once heard someone mutter that T+ was proprietry... but all they were doing was sending (effectively) T+ av-pairs via a Cisco RADIUS VSAs. Not significantly different one could argue!

448
Views
0
Helpful
4
Replies
CreatePlease to create content