Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
845
Views
10
Helpful
1
Replies

Privilege levels and radius

j-tucker
Level 1
Level 1

‎12-05-2008 08:36 AM

I have configured radius authenication and have 2 types of users - 15 - all access and 2 limited access.

The problem I am experiencing is controlling enable mode access.

If the radius server stops then the default username Test1 is used and although I have configured it for level 15 it is always level 1 when you show privilege. From there you can go to enable mode. Which is what I want. (is that best practice?)

When radius server is up, then Test2 can login and gets privelege level 2 with limited commands. Except that you can access the enable mode. I tried

'privilege exec level 10 enable' but then the Test1 cannot get enable mode.

I tried 'aaa authentication enable default group radius enable' and it goes to the radius server to get authenication for enable password but I want to stop Test2 from being able to use the enable command and getting a password request.

Any clues how to do this?

enable secret 5 xxxxxxxx

!

username Test privilege 15 password 7 xxxxxx

aaa new-model

!

!

aaa authentication login radius-login group radius local

aaa authentication enable default group radius enable

aaa authorization console

aaa authorization exec default group radius if-authenticated

aaa authorization network default group radius

aaa accounting exec default start-stop group radius-login

aaa accounting network default start-stop group radius-login

aaa accounting system default start-stop group radius-login

radius-server host x.x.x.x auth-port 1812 acct-port 1813

radius-server key 7 yyyyyyyyyy

privilege exec level 2 traceroute

privilege exec level 2 ping

privilege exec level 2 clear counters

privilege exec level 2 show interfaces

privilege exec level 1 show privilege

Labels:
0 Helpful
1 Reply 1

mchin345
Level 6
Level 6

‎12-11-2008 10:03 AM

The privilege level for certain commands, and provides an example with parts of sample configurations for a router and TACACS+ and RADIUS servers.

By default, there are three privilege levels on the router.

- Privilege level 1 = non-privileged (prompt is router>), the default level for logging in

- Privilege level 15 = privileged (prompt is router#), the level after going into enable mode

- Privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout

Levels 2-14 are not used in a default configuration, but commands that are normally at level 15 can be moved down to one of those levels and commands that are normally at level 1 can be moved up to one of those levels. Obviously, this security model involves some administration on the router.

For further information click this link.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents