https://community.cisco.com/t5/network-access-control/assigning-privilege-level-using-radius/m-p/647958#M422481 <P>I'm trying to assigned a privilege level on a Cisco router via Radius. I'm using the Cisco Secure ACS (Windows 2K).</P><P></P><P>I have set the privilege level to 15. But when I telnet to the router, I always get the router&gt; prompt instead of the router# prompt.</P><P></P><P>How can I configured the Radius/router so that when I get successfully authenticated, the router# prompt is shown.</P><P></P><P></P><P>I've configured the router as below:</P><P></P><P>aaa authentication login vtymethod group radius enable</P><P>aaa authorization exec vtymethod group radius local</P><P></P><P></P><P>radius-server host 202.x.x.195 auth-port 1645 acct-port 1646 key cisco</P><P></P><P>line vty 0 4</P><P> authorization exec vtymethod</P><P> login authentication vtymethod</P><P>!</P><P></P><P>On the Radius, I've configured as below:</P><P></P><P>In the group settings for IETF Radius attributes, the Service-Type is set to Nas Prompt.</P><P>Also in the group settings, I've checked the Cisco-av-pair with the following configured: shell:priv-lvl=15.</P><P></P><P>Is there something I'm missing.</P><P></P><P>Appreciate the help.</P><P></P><P>Thanks.</P><P>sweeann</P> Sun, 10 Mar 2019 21:50:16 GMT sweeann 2019-03-10T21:50:16Z https://community.cisco.com/t5/network-access-control/assigning-privilege-level-using-radius/m-p/647958#M422481 <P>I'm trying to assigned a privilege level on a Cisco router via Radius. I'm using the Cisco Secure ACS (Windows 2K).</P><P></P><P>I have set the privilege level to 15. But when I telnet to the router, I always get the router&gt; prompt instead of the router# prompt.</P><P></P><P>How can I configured the Radius/router so that when I get successfully authenticated, the router# prompt is shown.</P><P></P><P></P><P>I've configured the router as below:</P><P></P><P>aaa authentication login vtymethod group radius enable</P><P>aaa authorization exec vtymethod group radius local</P><P></P><P></P><P>radius-server host 202.x.x.195 auth-port 1645 acct-port 1646 key cisco</P><P></P><P>line vty 0 4</P><P> authorization exec vtymethod</P><P> login authentication vtymethod</P><P>!</P><P></P><P>On the Radius, I've configured as below:</P><P></P><P>In the group settings for IETF Radius attributes, the Service-Type is set to Nas Prompt.</P><P>Also in the group settings, I've checked the Cisco-av-pair with the following configured: shell:priv-lvl=15.</P><P></P><P>Is there something I'm missing.</P><P></P><P>Appreciate the help.</P><P></P><P>Thanks.</P><P>sweeann</P> Sun, 10 Mar 2019 21:50:16 GMT https://community.cisco.com/t5/network-access-control/assigning-privilege-level-using-radius/m-p/647958#M422481 sweeann 2019-03-10T21:50:16Z https://community.cisco.com/t5/network-access-control/assigning-privilege-level-using-radius/m-p/647959#M422483 <HTML><HEAD></HEAD><BODY><P>I believe adding the following line to your AAA configuration will allow a user authenticated through ACS to login directly to enabled mode:</P><P></P><P></P><P>aaa authorization exec vtymethod group radius if-authenticated</P><P></P><P></P><P>Hope this helps,</P><P></P><P>-d</P></BODY></HTML> Mon, 13 Nov 2006 19:29:26 GMT https://community.cisco.com/t5/network-access-control/assigning-privilege-level-using-radius/m-p/647959#M422483 dmholmes000 2006-11-13T19:29:26Z https://community.cisco.com/t5/network-access-control/assigning-privilege-level-using-radius/m-p/647960#M422484 <HTML><HEAD></HEAD><BODY><P>Tried the suggestion above but I'm still getting the router&gt; prompt instead of going directly to enable mode.</P><P></P><P>Thanks,</P><P>sweeann</P></BODY></HTML> Tue, 14 Nov 2006 01:21:13 GMT https://community.cisco.com/t5/network-access-control/assigning-privilege-level-using-radius/m-p/647960#M422484 sweeann 2006-11-14T01:21:13Z https://community.cisco.com/t5/network-access-control/assigning-privilege-level-using-radius/m-p/647961#M422485 <HTML><HEAD></HEAD><BODY><P>Just an update: </P><P>I've configured wrongly on the network configuration in the ACS. I've chosen Radius (IETF) instead of Radius (Cisco IOS/PIX). Once I changed it to Radius (Cisco IOS/PIX) I was able to assigned the privilege level.</P><P></P><P>Thanks all,</P><P>sweeann</P></BODY></HTML> Tue, 14 Nov 2006 02:52:17 GMT https://community.cisco.com/t5/network-access-control/assigning-privilege-level-using-radius/m-p/647961#M422485 sweeann 2006-11-14T02:52:17Z https://community.cisco.com/t5/network-access-control/assigning-privilege-level-using-radius/m-p/647962#M422486 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Im curious... what is the perceived benefit of using RADIUS instead of TACACS+ ?</P><P></P><P>Given that ACS supports both and that T+ is a superior protocol for device admin.</P><P></P><P>I once heard someone mutter that T+ was proprietry... but all they were doing was sending (effectively) T+ av-pairs via a Cisco RADIUS VSAs. Not significantly different one could argue!</P></BODY></HTML> Tue, 14 Nov 2006 10:39:20 GMT https://community.cisco.com/t5/network-access-control/assigning-privilege-level-using-radius/m-p/647962#M422486 darpotter 2006-11-14T10:39:20Z