Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RADIUS authentication with Windows 2000 server

I am attempting to set up my 6506 to use RADIUS authentication using my Windows 2000 accounts database. What I would like to do is make it so my Windows 2000 account (we'll call it "superuser" here) has level 15 access to the switch, with a local account called switchadmin as a backup, also with level 15 access. I would like all other accounts to have limited access. For example, give them access to the show start and show ip route commands.

So far, I have the following related commands configured.

aaa new-model

aaa group server radius TEST

server auth-port 1812 acct-port 1813

aaa authentication login default local

username switchadmin password <password>

username superuser privilege 15

I know these commands are a sort of hodge podge of almost complete configurations for both local and RADIUS configs, but I'm having trouble figuring out where to go from here.

I'm having trouble understanding the aaa authorization methods and how they work. For example, what is the difference between command and exec?

Can you help me complete this configuration to allow RADIUS authentication as my default? Thanks in advance.

Cisco Employee

Re: RADIUS authentication with Windows 2000 server

The authorization exec is used to check the user attributes such as privilege level etc. Authoriztion commands is used when you need to authorize each command the user enters.

In your case you would need to use both.

The following links should help you with the configuration:

As for the configuration on the server side, since you are using external user database, you would need two groups on the W2K database and map them to two separate groups with different privileges on ACS.

Hope this helps,


New Member

Re: RADIUS authentication with Windows 2000 server

Well, that didn't have the desired effect. Now I can't do anything but get to the enable prompt. Any suggestions?

Cisco Employee

Re: RADIUS authentication with Windows 2000 server

Command authorization can only be done using TACACS.

In your case since you are using Radius, you can only restrict access for commands using the privilege levels locally on the router. For example you can assign priv 7 to a user and on the router locally move certain command to level 7. Hence level 7 users will only have access to specific commands. For more information:


New Member

Re: RADIUS authentication with Windows 2000 server


Thanks for the info. I guess that would explain why every example I found for command authorizations used TACACS, eh?

CreatePlease login to create content