Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

non-Cisco ACS Radius superuser authentication to CSS

Hi,

I am trying to figure out what to send the CSS to have super-user authentication work.

We are using free-radius. When I configure:

virtual authentication primary radius

and run the radius server in debug mode (radiusd -fxx)

I see that the CSS contacted the radius server, got and Access-Accept, but authenticated as a user ( CSS11501> prompt )

Is there an AV pair that can be sent to force superuser status?

ie: "shell:priv-lvl=15" for routers??

1 REPLY
Silver

Re: non-Cisco ACS Radius superuser authentication to CSS

for a superuser, you can set the user name IETP Radius Attributes to server-type 006 administrative, which should be the same in all radius software. By setting the username like this, the authentication would work fine.

250
Views
0
Helpful
1
Replies
CreatePlease to create content