topic Re: AAA & Radius in Network Access Control

AAA & Radius

87305 — Sun, 10 Mar 2019 21:34:25 GMT

In a lab, when I configure the following there is no issue logging into the switch using telnet/ssh:

aaa new-model

aaa authentication login default group radius

aaa authorization exec default group radius if-authenticated

aaa accounting exec default start-stop group radius

I have configured the following Cisco AV-pair on the AAA server:

shell:priv-lvl=15

When I login via telnet/ssh, there is no problem at all. However, when I login via console I do not get priv level? It authenticates me to user exec but no further.

If anyone has seen this I would greatly appreciate any help.

Thanks,

Re: AAA & Radius

a.kiprawih — Sat, 06 May 2006 08:30:59 GMT

Hi,

By right, with 'login default..', it should be applied to all interfaces, .e.g vty 0 4.

Anyway, maybe you can try to manually apply the 'login authentication default' under console (con 0), or create separate aaa authentication with different name and apply it to con 0.

Rgds,

Re: AAA & Radius

a.kiprawih — Sat, 06 May 2006 08:41:20 GMT

Got your point, will test it in my lab.. 🙂

Re: AAA & Radius

manish.gaur — Sat, 06 May 2006 09:07:41 GMT

Hii christ

try this command aaa authorization console

where u defined the av pair value in shell or in ietf radius Att.

Try one thing just mark the exec button and then in previll level define 15

Regards

Manish

Re: AAA & Radius

Richard Burts — Sat, 06 May 2006 13:45:19 GMT

Christopher

By default Cisco does the authorization on the vty and not on the console. It is intended that way to give you access to the device if you misconfigure aaa authorization and lock yourself out of the device (it is not unusual for that to happen in the early stages of learning how to configure aaa). If you want it to authorize on the console (and put users directly into privilege mode) the command aaa authorization console should work for you.

HTH

Rick

Re: AAA & Radius

a.kiprawih — Sat, 06 May 2006 14:01:21 GMT

Hi,

Tested by adding one line to console 0:

line con 0

privilege level 15

*Access authentication will still go through radius.

From the test, I can see that access via telnet & ssh will automatically give you the "#" (router#), but when you access it via console, your prvilege level is limited to "router>".

If you intend to manage your router, tacacs+ is probably best option to use (more control over commands). And also, you might consider to use local database as the last resort/option to authenticate access to router in case your AAA server unreachable/down.

Pls rate if you find this solution useful. Thanks.

Rgds,

Re: AAA & Radius

87305 — Sat, 06 May 2006 17:50:46 GMT

Gents,

Thank you all for the tremendous feedback, you have all been of a great help.

aaa authorization console worked as anticipated.

This was one of those unlisted IOS commands that drove me crazy.

Again thank you to everyone for all your help.

I have one last question.

Would anyone happen to know how to secure the web management (http secure server) in the same manor? I want to give users the ability to login to the web interface via radius.

I thought the command was aaa authorization websomething? But I can not remember?

Thanks again

Re: AAA & Radius

87305 — Sat, 06 May 2006 17:59:44 GMT

Thank you for your post.

I did test this and it does work.

However I would prefer to have AAA/Radius control this by doing it this way instead:

aaa authorization console

Again, thank you for your help,

Take care,

Re: AAA & Radius

Richard Burts — Sat, 06 May 2006 19:08:15 GMT

Christopher

I have not used this on a live router so can not speak from much experience. But I believe that you will find your solution in this command:

router_vpn(config)#ip http authentication aaa ?

command-authorization Set method list for command authorization

exec-authorization Set method list for exec authorization

I believe that it will set authentication for http secure server as well as the http server (though since I have not done it I can not say for sure).

HTH

Rick

Re: AAA & Radius

87305 — Mon, 08 May 2006 11:32:10 GMT

Thank you for the prompt response once again.

I have tried the following to no avail:

aaa authentication login abc group radius local

aaa authorization exec abc group radius if-authenticated local

ip http authentication aaa login-authentication abc

ip http authentication aaa exec-authorization abc

ip http authentication aaa command-authorization 15 abc

The following is not support in the IOS that I am running:

aaa authorization commands 15 abc group radius if-authenticated local

The only option for me is:

aaa authorization commands 15 abc group tacacs+ if-authenticated local

There must be a way to configure this. I will continue to research.

Thank you for your help again.

Take care,