09-14-2008 09:28 PM - edited 03-10-2019 04:05 PM
I have searched and searched for an answer to this, but noghting seems to be working. I have IAS authenticating users for login authentication on a 1230ag AP and a 2950 switch using Active Directory for the user database. I have it working just fine except for the fact that I can't get the device and IAS to send the user directly to enable mode even after adding the "shell:priv-lvl=15" vendor attribute to the access policy. Will someone post the steps that have worked for them that allows AAA login authentication with local users database for a backup? Any help would be much appreciated. I should add that it only allows me level 1 access on the console, telnet, and web interface (on the AP) and I did a debug on the AAA process and though I didn't copy it to a txt file it looked as though the "shell:priv-lvl=15" was reaching the AP and the switch. Thanks.
Solved! Go to Solution.
09-18-2008 03:23 AM
I get it, you have "Permanent" list applied on the device.
Add following command. If you make some changes in your configuration. I request you to also provide the configuration changes.
add the commands,
username
radius-server host
aaa authentication login default group radius local
aaa authorization exec default group radius local
line vty 0 4 or line vty 0 15
login authentication default
authorization exec default
Regards,
Prem
Please rate if it helps!
09-19-2008 03:14 PM
09-22-2008 12:23 PM
aaa authentication login CON local
line con 0
login authentication CON
privilege level 15
Regards,
Prem
Please rate if it helps!
09-15-2008 03:08 PM
Make sure you have following commands on switch/AP
username
radius-server host
aaa authentication login default group radius local
aaa authorization exec default group radius local
On you IAS server,
Choose the Service Type as Administrative. (Under Advanced Tab for a Radius Access Policy)
Regards,
Prem
Please rate if it helps!
09-15-2008 05:23 PM
So instead of using the Service Type of Login I need to use the Service Type of Administrative? Do I still need to have the Cisco VA of "shell:priv-lvl=15" in the access policy? Also do I leave all of the RADIUS types in IAS set to Cisco or Radius Standard?
Thanks
09-16-2008 03:46 AM
Have you tried this yet ?
You need Service type administrative. You can use cisco av pair to later on pass the custom/required privilege level, else it will automatically get privilege level 15.
Regards,
Prem
Please rate if it helps!
09-17-2008 01:54 PM
09-17-2008 03:01 PM
"debug aaa authentication" wont help.
You need to get "debug radius"
Regards,
Prem
09-17-2008 03:01 PM
Also as you are using authorization.
debug aaa authentication
debug aaa authorization
debug radius
Regards,
Prem
09-17-2008 07:03 PM
Yes I did run a debug on all three and that was the output.
09-18-2008 03:23 AM
I get it, you have "Permanent" list applied on the device.
Add following command. If you make some changes in your configuration. I request you to also provide the configuration changes.
add the commands,
username
radius-server host
aaa authentication login default group radius local
aaa authorization exec default group radius local
line vty 0 4 or line vty 0 15
login authentication default
authorization exec default
Regards,
Prem
Please rate if it helps!
09-19-2008 10:14 AM
Thanks Prem! That works perfectly. When I was trying it before I forgot to put the "authorization exec default" command in. Three more questions for you:
1. Using this method does it default back to the local list if the RADIUS server is unavailable?
2. How do I apply these same rules to the HTTP web interface?
3. What commands do I use if I want to set up a user group that I want to give a privilege level of something other than 15 to?
Thanks again!
09-19-2008 10:27 AM
1. Using this method does it default back to the local list if the RADIUS server is unavailable?
Answer: Yes, using the local username/password configured on the device.
2. How do I apply these same rules to the HTTP web interface?
Answer :
ip http server
ip http authentication aaa
3. What commands do I use if I want to set up a user group that I want to give a privilege level of something other than 15 to?
Answer :
[Edit]Using cisco-av-pair i.e. shell:priv-lvl=n;
Where , n is the privilege level.
Regards,
Prem
Please rate if it helps!
09-19-2008 10:54 AM
Do I leave the service type as Administrative for the different privilege levels or do I change it back to Login?
09-19-2008 10:55 AM
Leave it to administrative
09-19-2008 10:57 AM
Thanks for your help it has been much appreciated. I'll rate this post.
09-19-2008 03:13 PM
Oops one more thing. How do I set it up to authenticate users in SDM?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: