I am attempting to set up my 6506 to use RADIUS authentication using my Windows 2000 accounts database. What I would like to do is make it so my Windows 2000 account (we'll call it "superuser" here) has level 15 access to the switch, with a local account called switchadmin as a backup, also with level 15 access. I would like all other accounts to have limited access. For example, give them access to the show start and show ip route commands.
So far, I have the following related commands configured.
aaa group server radius TEST
server 172.16.255.31 auth-port 1812 acct-port 1813
aaa authentication login default local
username switchadmin password <password>
username superuser privilege 15
I know these commands are a sort of hodge podge of almost complete configurations for both local and RADIUS configs, but I'm having trouble figuring out where to go from here.
I'm having trouble understanding the aaa authorization methods and how they work. For example, what is the difference between command and exec?
Can you help me complete this configuration to allow RADIUS authentication as my default? Thanks in advance.
As for the configuration on the server side, since you are using external user database, you would need two groups on the W2K database and map them to two separate groups with different privileges on ACS.
Re: RADIUS authentication with Windows 2000 server
Command authorization can only be done using TACACS.
In your case since you are using Radius, you can only restrict access for commands using the privilege levels locally on the router. For example you can assign priv 7 to a user and on the router locally move certain command to level 7. Hence level 7 users will only have access to specific commands. For more information:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :