I have configured radius authenication and have 2 types of users - 15 - all access and 2 limited access.
The problem I am experiencing is controlling enable mode access.
If the radius server stops then the default username Test1 is used and although I have configured it for level 15 it is always level 1 when you show privilege. From there you can go to enable mode. Which is what I want. (is that best practice?)
When radius server is up, then Test2 can login and gets privelege level 2 with limited commands. Except that you can access the enable mode. I tried
'privilege exec level 10 enable' but then the Test1 cannot get enable mode.
I tried 'aaa authentication enable default group radius enable' and it goes to the radius server to get authenication for enable password but I want to stop Test2 from being able to use the enable command and getting a password request.
Any clues how to do this?
enable secret 5 xxxxxxxx
username Test privilege 15 password 7 xxxxxx
aaa authentication login radius-login group radius local
aaa authentication enable default group radius enable
aaa authorization console
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius
aaa accounting exec default start-stop group radius-login
aaa accounting network default start-stop group radius-login
aaa accounting system default start-stop group radius-login
The privilege level for certain commands, and provides an example with parts of sample configurations for a router and TACACS+ and RADIUS servers.
By default, there are three privilege levels on the router.
- Privilege level 1 = non-privileged (prompt is router>), the default level for logging in
- Privilege level 15 = privileged (prompt is router#), the level after going into enable mode
- Privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout
Levels 2-14 are not used in a default configuration, but commands that are normally at level 15 can be moved down to one of those levels and commands that are normally at level 1 can be moved up to one of those levels. Obviously, this security model involves some administration on the router.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...