I have configured radius authenication and have 2 types of users - 15 - all access and 2 limited access.
The problem I am experiencing is controlling enable mode access.
If the radius server stops then the default username Test1 is used and although I have configured it for level 15 it is always level 1 when you show privilege. From there you can go to enable mode. Which is what I want. (is that best practice?)
When radius server is up, then Test2 can login and gets privelege level 2 with limited commands. Except that you can access the enable mode. I tried
'privilege exec level 10 enable' but then the Test1 cannot get enable mode.
I tried 'aaa authentication enable default group radius enable' and it goes to the radius server to get authenication for enable password but I want to stop Test2 from being able to use the enable command and getting a password request.
Any clues how to do this?
enable secret 5 xxxxxxxx
!
username Test privilege 15 password 7 xxxxxx
aaa new-model
!
!
aaa authentication login radius-login group radius local
aaa authentication enable default group radius enable
aaa authorization console
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius
aaa accounting exec default start-stop group radius-login
aaa accounting network default start-stop group radius-login
aaa accounting system default start-stop group radius-login
radius-server host x.x.x.x auth-port 1812 acct-port 1813
radius-server key 7 yyyyyyyyyy
privilege exec level 2 traceroute
privilege exec level 2 ping
privilege exec level 2 clear counters
privilege exec level 2 show interfaces
privilege exec level 1 show privilege