https://community.cisco.com/t5/network-access-control/multiple-shell-avpair-entries/m-p/1181758#M400438 <P>Is it possible to have muplitple Radius shell: AVPair entries for a single user/profile? I want to be able to use 'shell:priv-lvl=15' to manage our switches and 'shell:Admin=Admin default-domain' to manage our ACE's. What I am finding is that when I configure both I cannot get into our switches. Also is there a document that explains how cisco devices process the radius attributes? Thanks.</P> Sun, 10 Mar 2019 23:18:25 GMT jrbeining 2019-03-10T23:18:25Z https://community.cisco.com/t5/network-access-control/multiple-shell-avpair-entries/m-p/1181758#M400438 <P>Is it possible to have muplitple Radius shell: AVPair entries for a single user/profile? I want to be able to use 'shell:priv-lvl=15' to manage our switches and 'shell:Admin=Admin default-domain' to manage our ACE's. What I am finding is that when I configure both I cannot get into our switches. Also is there a document that explains how cisco devices process the radius attributes? Thanks.</P> Sun, 10 Mar 2019 23:18:25 GMT https://community.cisco.com/t5/network-access-control/multiple-shell-avpair-entries/m-p/1181758#M400438 jrbeining 2019-03-10T23:18:25Z https://community.cisco.com/t5/network-access-control/multiple-shell-avpair-entries/m-p/1181759#M400439 <HTML><HEAD></HEAD><BODY><P>From an ACS and purely RADIUS perspective - yes this fine.</P><P></P><P>As to what the switch does - anyone's guess as this stuff is rarely documented. I've trawled CCO many times to find which cisco-av-pairs exist let alone which devices support them.</P><P></P><P>If you can get some low level AAA debug off the switch you might find what its doing with the av-pairs.</P><P></P><P>Good luck! </P></BODY></HTML> Tue, 27 Jan 2009 20:56:34 GMT https://community.cisco.com/t5/network-access-control/multiple-shell-avpair-entries/m-p/1181759#M400439 darpotter 2009-01-27T20:56:34Z https://community.cisco.com/t5/network-access-control/multiple-shell-avpair-entries/m-p/1181760#M400440 <HTML><HEAD></HEAD><BODY><P>The switches were complaining about an unknown mandatory AV:</P><P></P><P>Jan 28 10:12:57.633 PST: AAA/AUTHOR/EXEC: received unknown mandatory AV: Admin=Admin default-domain</P><P></P><P>In order to resolve this I defined the AV as optional with a '*' instead of an '=':</P><P></P><P>shell:Admin*Admin default-domain</P><P></P><P>Thanks.</P><P></P><P>-Joshua</P></BODY></HTML> Wed, 28 Jan 2009 18:29:11 GMT https://community.cisco.com/t5/network-access-control/multiple-shell-avpair-entries/m-p/1181760#M400440 jrbeining 2009-01-28T18:29:11Z