cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1638
Views
0
Helpful
18
Replies

Microsoft IAS 2003 login authentication issues

sloov187
Level 1
Level 1

I have searched and searched for an answer to this, but noghting seems to be working. I have IAS authenticating users for login authentication on a 1230ag AP and a 2950 switch using Active Directory for the user database. I have it working just fine except for the fact that I can't get the device and IAS to send the user directly to enable mode even after adding the "shell:priv-lvl=15" vendor attribute to the access policy. Will someone post the steps that have worked for them that allows AAA login authentication with local users database for a backup? Any help would be much appreciated. I should add that it only allows me level 1 access on the console, telnet, and web interface (on the AP) and I did a debug on the AAA process and though I didn't copy it to a txt file it looked as though the "shell:priv-lvl=15" was reaching the AP and the switch. Thanks.

3 Accepted Solutions

Accepted Solutions

I get it, you have "Permanent" list applied on the device.

Add following command. If you make some changes in your configuration. I request you to also provide the configuration changes.

add the commands,

username privilege 15 password

radius-server host key

aaa authentication login default group radius local

aaa authorization exec default group radius local

line vty 0 4 or line vty 0 15

login authentication default

authorization exec default

Regards,

Prem

Please rate if it helps!

View solution in original post

ip http server

ip http authentication aaa

Should take care of it.

View solution in original post

aaa authentication login CON local

line con 0

login authentication CON

privilege level 15

Regards,

Prem

Please rate if it helps!

View solution in original post

18 Replies 18

Premdeep Banga
Level 7
Level 7

Make sure you have following commands on switch/AP

username privilege 15 password

radius-server host key

aaa authentication login default group radius local

aaa authorization exec default group radius local

On you IAS server,

Choose the Service Type as Administrative. (Under Advanced Tab for a Radius Access Policy)

Regards,

Prem

Please rate if it helps!

So instead of using the Service Type of Login I need to use the Service Type of Administrative? Do I still need to have the Cisco VA of "shell:priv-lvl=15" in the access policy? Also do I leave all of the RADIUS types in IAS set to Cisco or Radius Standard?

Thanks

Have you tried this yet ?

You need Service type administrative. You can use cisco av pair to later on pass the custom/required privilege level, else it will automatically get privilege level 15.

Regards,

Prem

Please rate if it helps!

After following your directions the following attached documents on the AAA debug and the telnet screen are what I get. Basically it looks like by using this method my request doesn't even reach the IAS sever even though I know I have the IP and the shared secret in properly.

"debug aaa authentication" wont help.

You need to get "debug radius"

Regards,

Prem

Also as you are using authorization.

debug aaa authentication

debug aaa authorization

debug radius

Regards,

Prem

Yes I did run a debug on all three and that was the output.

I get it, you have "Permanent" list applied on the device.

Add following command. If you make some changes in your configuration. I request you to also provide the configuration changes.

add the commands,

username privilege 15 password

radius-server host key

aaa authentication login default group radius local

aaa authorization exec default group radius local

line vty 0 4 or line vty 0 15

login authentication default

authorization exec default

Regards,

Prem

Please rate if it helps!

Thanks Prem! That works perfectly. When I was trying it before I forgot to put the "authorization exec default" command in. Three more questions for you:

1. Using this method does it default back to the local list if the RADIUS server is unavailable?

2. How do I apply these same rules to the HTTP web interface?

3. What commands do I use if I want to set up a user group that I want to give a privilege level of something other than 15 to?

Thanks again!

1. Using this method does it default back to the local list if the RADIUS server is unavailable?

Answer: Yes, using the local username/password configured on the device.

2. How do I apply these same rules to the HTTP web interface?

Answer :

ip http server

ip http authentication aaa

3. What commands do I use if I want to set up a user group that I want to give a privilege level of something other than 15 to?

Answer :

[Edit]Using cisco-av-pair i.e. shell:priv-lvl=n;

Where , n is the privilege level.

Regards,

Prem

Please rate if it helps!

Do I leave the service type as Administrative for the different privilege levels or do I change it back to Login?

Leave it to administrative

Thanks for your help it has been much appreciated. I'll rate this post.

Oops one more thing. How do I set it up to authenticate users in SDM?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: