Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6265
Views
0
Helpful
4
Replies

Microsoft NPS(IAS) as RADIUS and Cisco Privilege levels

Andrew Partridge
Level 1
Level 1

‎08-02-2013 08:35 AM - edited ‎03-03-2019 07:08 AM

I have spent a while looking around, done alot of reading and havent been able to get my lab to work.

I am trying to get the a router to assign the privalge level based on a Windows group using Microsoft NPS (latest incarnation of IAS).

So I done alot of reading but it seems the AV-pair on the Radius server has no impact on the level the user logged on can access.

My Router has the following config

aaa new-model

!

!

aaa group server radius RadSrv

server name NPS1

!

aaa authentication login VTY local group RadSrv

aaa authorization exec VTY local group RadSrv

!

radius server NPS1

address ipv4 192.168.0.12 auth-port 1645 acct-port 1646

key password

!

line vty 0 4

authorization exec VTY

login authentication VTY

transport input telnet ssh

The Radius server has the following configured

Standard Attribute

Name: Service type

Number: 6

Value: NAS Prompt

Vendor Specific

Name: Cisco-AV-Pair

Vendor: Cisco

Value: shell:priv-lvl=1

But when i log on with a user that matches this profile i get the following fromt he debug and prompt

Username: hrg1

Password:

!

R1>show pri

R1>en

R1#show pri

R1#show privilege

Current privilege level is 15

and debug

Aug  2 15:35:04.794: AAA/BIND(0000002F): Bind i/f

Aug  2 15:35:04.794: AAA/AUTHEN/LOGIN (0000002F): Pick method list 'VTY'

Aug  2 15:35:10.666: AAA/AUTHOR (0x2F): Pick method list 'VTY' - PASS

Aug  2 15:35:10.666: AAA/AUTHOR/EXEC(0000002F): processing AV priv-lvl=1

Aug  2 15:35:10.666: AAA/AUTHOR/EXEC(0000002F): processing AV service-type=7

Aug  2 15:35:10.666: AAA/AUTHOR/EXEC(0000002F): Authorization successful

Aug  2 15:35:15.226: AAA/AUTHOR: auth_need : user= 'hrg1' ruser= 'one'rem_addr= '192.168.0.6' priv= 0 list= '' AUTHOR-TYPE= 'command'

Aug  2 15:35:15.226: AAA: parse name=tty11 idb type=-1 tty=-1

Aug  2 15:35:15.226: AAA: name=tty11 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=11 channel=0

Aug  2 15:35:15.226: AAA/MEMORY: create_user (0x873541FC) user='hrg1' ruser='NULL' ds0=0 port='tty11' rem_addr='192.168.0.6' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)

Aug  2 15:35:15.230: AAA/AUTHEN/START (1138619649): port='tty11' list='VTY' action=LOGIN service=ENABLE

Aug  2 15:35:15.230: AAA/AUTHEN/START (1138619649): console enable - default to enable password (if any)

Aug  2 15:35:15.230: AAA/AUTHEN/START (1138619649): Method=ENABLE

Aug  2 15:35:15.230: AAA/AUTHEN(1138619649): can't find any passwords

Aug  2 15:35:15.230: AAA/AUTHEN (1138619649): status = ERROR

Aug  2 15:35:15.230: AAA/AUTHEN/START (1138619649): Method=NONE

Aug  2 15:35:15.230: AAA/AUTHEN (1138619649): status = PASS

Aug  2 15:35:15.230: AAA/MEMORY: free_user (0x873541FC) user='hrg1' ruser='NULL' port='tty11' rem_addr='192.168.0.6' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

It seems to get the privilege level when the user logs in but no restrictions when entering enable mode


Labels:
0 Helpful
4 Replies 4

Andrew Partridge
Level 1
Level 1

‎08-05-2013 01:45 AM

Guess its going to be a TAC case then.

I wounder if anybody has got this working

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Andrew Partridge

‎08-05-2013 07:54 AM

Username: hrg1

Password:

!

R1>show pri

R1>en

R1#show pri

R1#show privilege

Current privilege level is 15

Technically, if you're putting a level 15 enable password in then the user is level 15 regardless of the initial login. You'll need to set an enable level for the level that you're wanting:

R1>enable

Password:

R1#sh priv level

R1#sh priv

Current privilege level is 15

R1#disa

R1>enable 3

Password:

R1#sh priv

Current privilege level is 3

R1#disab

R1>en

Password:

R1#sh run | i enable

enable secret level 3 5 $1$ZWgd$pmqbBMhM3AoUbLNWfdRrc/

enable secret 5 $1$UC3a$Q6MM8v3RHo4CZp6G0CMtV/

R1#

If the user only knows their level and password, you shouldn't have any worries about them getting in at the highest level.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Andrew Partridge
Level 1
Level 1
In response to John Blakley

‎08-07-2013 12:52 AM

I not clear on what you mean sorry.

I didn't have a username or enable password on the config, are you saying that is my problem?

I will give it a try, but that would mean i cant controll access levels via the AD group setting

0 Helpful

Rolf Fischer
Level 9
Level 9
In response to Andrew Partridge

‎08-10-2013 12:20 AM

Hallo Andrew,

as far as I can see, the method for the enable mode in your configuration is still local and you have no enable password/secret configured locally.

Could you try

aaa authentication enable default group RadSrv [] []

[] could be enable (local) or none (for a lab environment), these methods are used when the Radius server is not available.

Hope that helps

Rolf

0 Helpful
Customers Also Viewed These Support Documents