I've got AAA radius authentication setup with IAS in lab, but I haven't been able to nail down the priv levels. I've got 2 remote access policies matching windows-groups & client-ip of the router in question. In both policies, I have service-type with value login and vendor-specific Cisco with value of shell:priv-lvl=7 for the 1st and shell:priv-lvl=15 for the 2nd. The policies are ordered that way (7 for the 1st, and 15 for the 2nd). I authenticate fine for test users in the group assigned to the 1st as well as the 2nd. However, I end up in exec mode. When I enter privileged mode for both, a sh priv tells me that I'm in priv 15.
Sure thing. I haven't finalized the catos or pix/asa configs for this yet, but maybe you can help me out with that.
I have a need to limit access on a per device, per person basis, so I have 1 policy per access level and per device.
So, for priv 7 access to a router I have the following policy:
* policy conditions: windows group AND client-IP-Address matches [IP]
* Grant remote access
* Authentication tab - only unencrypted (pap, spap)
* Advanced tab - service-type = nas prompt, vendor-specific = shell:priv-lvl=7, reply-message for testing but may remove it.
Please note that the service-type attribute doesn't appear to matter. I've changed it as some writeups say to use login, while others say to use nas prompt. Either works, but I haven't tried removing it altogether. Also, the shell:priv-lvl=x string can be either a vendor-specific attribute or a Cisco-AV-Pair.
For the radius clients, I've tried both 'RADIUS Standard' as well as 'Cisco' and they both work fine.
If that doesn't fix it for you, try the aaa and radius debugs and check the IAS logs.
Hope that helps, and when you get it working could you please post your asa AAA configs?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :