Have you configured the Radius server correctly with the 3750 as a client with the correct key? Is the 3750 routing or just layer-2? If it's routing you should tie the radius requests to a source interface with the command 'ip radius source-interface x/x'.
What you have entered should gain you access as long as the radius server is configured correctly. It might be worth looking in the radius servers logs and turning on some debug on the 3750.
You can enable exec 'authorization' with the command 'aaa authorization exec default group xxxxx'. This then assumes your Radius server will send a Cisco AV Pair ('shell:priv-lvl=XX')to set the Privilege level of the user. You can still get to a higher privilege level with the 'enable' command, however another Radius login is sent if you do this with a username of '$enab15$' (for level 15).
My current Radius Template I use for IOS devices is this:
aaa group server radius Radius-Servers
server 10.10.10.10 auth-port 1812 acct-port 1813
server 10.10.20.10 auth-port 1812 acct-port 1813
ip radius source-interface Loopback0
aaa authentication login default group Radius-Servers local line
aaa authentication enable default group Radius-Servers enable
aaa authentication dot1x default group Radius-Servers
aaa authorization console
aaa authorization exec default group Radius-Servers if-authenticated
aaa authorization network default group Radius-Servers
aaa accounting dot1x default start-stop group Radius-Servers
aaa accounting exec default start-stop group Radius-Servers
aaa accounting network default start-stop group Radius-Servers
aaa accounting system default start-stop group Radius-Servers
I am using MS IAS for Radius and I have various policies defined that check for different attributes depending on the authentication type - i.e. Console/Terminal access, VPN, Wireless 802.1x, Wired 802.1x and WEB Proxy-Authentication.
You are probably going to have to post a bit more of the config....
After you have rebooted console or telnet in and set the exec-timeout to 0 so you don't get logged out automatically, you should then be able to debug what is going on by telnet'ing a 2nd time into the switch.
Are you trying this via telnet or the console? By default the console does not perform authorization automatically (you need to enter 'enable'). This can be overridden with the hidden global command 'aaa authorization console'. I am not sure this is your issue though?
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...