Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Privilege levels and radius

I have configured radius authenication and have 2 types of users - 15 - all access and 2 limited access.

The problem I am experiencing is controlling enable mode access.

If the radius server stops then the default username Test1 is used and although I have configured it for level 15 it is always level 1 when you show privilege. From there you can go to enable mode. Which is what I want. (is that best practice?)

When radius server is up, then Test2 can login and gets privelege level 2 with limited commands. Except that you can access the enable mode. I tried

'privilege exec level 10 enable' but then the Test1 cannot get enable mode.

I tried 'aaa authentication enable default group radius enable' and it goes to the radius server to get authenication for enable password but I want to stop Test2 from being able to use the enable command and getting a password request.

Any clues how to do this?

enable secret 5 xxxxxxxx


username Test privilege 15 password 7 xxxxxx

aaa new-model



aaa authentication login radius-login group radius local

aaa authentication enable default group radius enable

aaa authorization console

aaa authorization exec default group radius if-authenticated

aaa authorization network default group radius

aaa accounting exec default start-stop group radius-login

aaa accounting network default start-stop group radius-login

aaa accounting system default start-stop group radius-login

radius-server host x.x.x.x auth-port 1812 acct-port 1813

radius-server key 7 yyyyyyyyyy

privilege exec level 2 traceroute

privilege exec level 2 ping

privilege exec level 2 clear counters

privilege exec level 2 show interfaces

privilege exec level 1 show privilege


Re: Privilege levels and radius

The privilege level for certain commands, and provides an example with parts of sample configurations for a router and TACACS+ and RADIUS servers.

By default, there are three privilege levels on the router.

- Privilege level 1 = non-privileged (prompt is router>), the default level for logging in

- Privilege level 15 = privileged (prompt is router#), the level after going into enable mode

- Privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout

Levels 2-14 are not used in a default configuration, but commands that are normally at level 15 can be moved down to one of those levels and commands that are normally at level 1 can be moved up to one of those levels. Obviously, this security model involves some administration on the router.

For further information click this link.

CreatePlease login to create content