Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Radius privilege levels

Hi I am struggling with getting my Cisco ASA to enforce privilege levels to users that authenticate to ASDM via Radius.

I am sending back the Priv-lvl=5 attribute but all users connecting to ASDM get level 15 no matter what?

Any ideas?

4 REPLIES
Cisco Employee

Re: Radius privilege levels

Do you have :

aaa authentication http console LOCAL

LOCAL is needed if you want a fallback authentication in case radius server is unavailable.

Do rate helpful posts.

Regards,

Sushil

New Member

Re: Radius privilege levels

i already have aaa authentication http console LOCAL set

the problem is that every authenticated users gets priv 15

Cisco Employee

Re: Radius privilege levels

You can use following commands to set privilege level of specific commands. Next, if you create a username with-

-> 3 = Privilege < 5 : Can only “monitor” the device or can only run commands set at privilege level 3 (Refer commands below).

-> 5 = Privilege < 15 : Can only “see configuration settings”, refer to additional commands at level 5 below.

-> Privilege = 15 : Complete access to the device.

Note: Privielge level of all other commands not mentioned below are by default at privilege 15, exception are commands like “help”.

CHECK IF THE COMMAND BELOW IS PRESENT :

aaa authorization command

( MAKE SURE YOU HAVE AN ALTERNATE SESSION OPEN WHILE YOU SET AUTHORIZATION FOR COMMANDS TO AVOID A LOCKOUT.

Regards,

Sushil

New Member

Re: Radius privilege levels

i know how to do this with local usernames, the problem is using RADIUS for authentication....

the Cisco AV Pair Priv-Lvl command doesn't seem to work or be adhered to by ASDM?

289
Views
0
Helpful
4
Replies
CreatePlease to create content