https://community.cisco.com/t5/network-access-control/aaa-with-different-level-of-privileges-into-a-router-using/m-p/195307#M437820 <HTML><HEAD></HEAD><BODY><P>Thanks gfullage for your answer...</P><P></P><P>I've already tried the Service-Type=Login attribute but it doesn't work either. Here's the debug for the authorization part:</P><P></P><P>*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): Port='tty130' list='' seC</P><P>*Mar 5 18:20:22: AAA/AUTHOR/EXEC: tty130 (3542376879) user='albertoff'</P><P>*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): send AV service=shell</P><P>*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): send AV cmd*</P><P>*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): found list "default"</P><P>*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): Method=radius (radius)</P><P>*Mar 5 18:20:22: RADIUS: Unknown service-type in shell-author: type=4</P><P>*Mar 5 18:20:22: RADIUS: cisco AVPair "shell:priv-lvl=15"</P><P>*Mar 5 18:20:22: RADIUS: no appropriate authorization type for user.</P><P>*Mar 5 18:20:22: AAA/AUTHOR (3542376879): Post authorization status = FAIL</P><P>*Mar 5 18:20:22: AAA/AUTHOR/EXEC: Authorization FAILED</P><P></P><P></P><P></P><P></P><P>The only difference I see from this to what I post on the first message is that the "Unknown service-type in shell-author" message appears before the "cisco AVPair "shell:priv-lvl=15"" message.</P><P></P><P>Now, when I try to login to the router it gives me an "Authorization Failed" message at the login prompt. I can only logon to it via console. </P><P></P><P></P><P>Thanks again for any suggestions, regards, af.</P></BODY></HTML> Mon, 01 Sep 2003 10:54:10 GMT albertoff 2003-09-01T10:54:10Z https://community.cisco.com/t5/network-access-control/aaa-with-different-level-of-privileges-into-a-router-using/m-p/195305#M437818 <P>Hello...</P><P></P><P>I'm trying to configure IAS Radius server to login users into a CISCO 3640 router. The idea is that different users login with different privileges... Some users with privilege 15. I've been checking the logs of the IAS server and it's working and authenticating users fine...</P><P></P><P>The aaa-related commands from the running-config of the router are shown below:</P><P></P><P>!</P><P>aaa new-model</P><P>aaa authentication login default group radius local</P><P>aaa authentication login if_needed local</P><P>aaa authorization exec default group radius if-authenticated</P><P>!</P><P>username admin privilege 15 password 0 xxxxxxxxx</P><P>!</P><P>(commands not shown)</P><P>!</P><P>radius-server host 10.1.2.47 auth-port 1645 acct-port 1646 radius-server retransmit 3 radius-server key 7 xxxxxxx</P><P>radius-server vsa send accounting</P><P>!</P><P>(commands not shown)</P><P>!</P><P>line con 0</P><P> privilege level 15</P><P> password 0 xxxxxxxxx</P><P> logging synchronous</P><P> login authentication if_needed</P><P>(I have a 15-level backdoor via console just in case)</P><P>!</P><P>!</P><P>!</P><P></P><P></P><P>When I remove the "aaa authorization exec" command users are authenticated and logged in the router with level-1 privileges. When I leave this command with the "shell:priv-lvl=15" attribute in the IAS server the authorization fails. The debug info is shown below:</P><P></P><P></P><P>*Mar 1 02:36:18: tty130 AAA/AUTHOR/EXEC (3895993257): Port='tty130' list='' service=EXEC</P><P>*Mar 1 02:36:18: AAA/AUTHOR/EXEC: tty130 (3895993257) user='albertoff'</P><P>*Mar 1 02:36:18: tty130 AAA/AUTHOR/EXEC (3895993257): send AV service=shell</P><P>*Mar 1 02:36:18: tty130 AAA/AUTHOR/EXEC (3895993257): send AV cmd*</P><P>*Mar 1 02:36:18: tty130 AAA/AUTHOR/EXEC (3895993257): found list "default"</P><P>*Mar 1 02:36:18: tty130 AAA/AUTHOR/EXEC (3895993257): Method=radius (radius)</P><P>*Mar 1 02:36:18: RADIUS: cisco AVPair "shell:priv-lvl=15"</P><P>*Mar 1 02:36:18: RADIUS: Unknown service-type in shell-author: type=4</P><P>*Mar 1 02:36:18: RADIUS: no appropriate authorization type for user.</P><P>*Mar 1 02:36:18: AAA/AUTHOR (3895993257): Post authorization status = FAIL</P><P>*Mar 1 02:36:18: AAA/AUTHOR/EXEC: Authorization FAILED</P><P></P><P></P><P></P><P>What do the "Unknown service-type in shell-author: type=4" and "no appropriate authorization type for user" stand for anyway?... </P><P></P><P>I don't know what's going on and my little experience with radius isn't helping either...</P><P></P><P>Any help would be more than welcome, thanks, af.</P> Sun, 10 Mar 2019 14:27:56 GMT https://community.cisco.com/t5/network-access-control/aaa-with-different-level-of-privileges-into-a-router-using/m-p/195305#M437818 albertoff 2019-03-10T14:27:56Z https://community.cisco.com/t5/network-access-control/aaa-with-different-level-of-privileges-into-a-router-using/m-p/195306#M437819 <HTML><HEAD></HEAD><BODY><P>Service-Type (Radius attribute number 6) should be set to Login (value 1) for exec sessions, so set this in the user profile also and you should be right.</P></BODY></HTML> Fri, 29 Aug 2003 02:37:23 GMT https://community.cisco.com/t5/network-access-control/aaa-with-different-level-of-privileges-into-a-router-using/m-p/195306#M437819 gfullage 2003-08-29T02:37:23Z https://community.cisco.com/t5/network-access-control/aaa-with-different-level-of-privileges-into-a-router-using/m-p/195307#M437820 <HTML><HEAD></HEAD><BODY><P>Thanks gfullage for your answer...</P><P></P><P>I've already tried the Service-Type=Login attribute but it doesn't work either. Here's the debug for the authorization part:</P><P></P><P>*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): Port='tty130' list='' seC</P><P>*Mar 5 18:20:22: AAA/AUTHOR/EXEC: tty130 (3542376879) user='albertoff'</P><P>*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): send AV service=shell</P><P>*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): send AV cmd*</P><P>*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): found list "default"</P><P>*Mar 5 18:20:22: tty130 AAA/AUTHOR/EXEC (3542376879): Method=radius (radius)</P><P>*Mar 5 18:20:22: RADIUS: Unknown service-type in shell-author: type=4</P><P>*Mar 5 18:20:22: RADIUS: cisco AVPair "shell:priv-lvl=15"</P><P>*Mar 5 18:20:22: RADIUS: no appropriate authorization type for user.</P><P>*Mar 5 18:20:22: AAA/AUTHOR (3542376879): Post authorization status = FAIL</P><P>*Mar 5 18:20:22: AAA/AUTHOR/EXEC: Authorization FAILED</P><P></P><P></P><P></P><P></P><P>The only difference I see from this to what I post on the first message is that the "Unknown service-type in shell-author" message appears before the "cisco AVPair "shell:priv-lvl=15"" message.</P><P></P><P>Now, when I try to login to the router it gives me an "Authorization Failed" message at the login prompt. I can only logon to it via console. </P><P></P><P></P><P>Thanks again for any suggestions, regards, af.</P></BODY></HTML> Mon, 01 Sep 2003 10:54:10 GMT https://community.cisco.com/t5/network-access-control/aaa-with-different-level-of-privileges-into-a-router-using/m-p/195307#M437820 albertoff 2003-09-01T10:54:10Z https://community.cisco.com/t5/network-access-control/aaa-with-different-level-of-privileges-into-a-router-using/m-p/195308#M437821 <HTML><HEAD></HEAD><BODY><P>This debug output:</P><P><B></B></P><P>*Mar 5 18:20:22: RADIUS: Unknown service-type in shell-author: type=4 </P><P></P><P>seems to indicate that Service-Type is set to 4, not 1 (Login). Can you cut/paste the user attributes you have in the IAS server so I can have a look at them.</P></BODY></HTML> Mon, 01 Sep 2003 22:13:47 GMT https://community.cisco.com/t5/network-access-control/aaa-with-different-level-of-privileges-into-a-router-using/m-p/195308#M437821 gfullage 2003-09-01T22:13:47Z