topic Re: 9800-cl login with radius - shell:priv-lvl=15 in Wireless

9800-cl login with radius - shell:priv-lvl=15

robbyde0100 — Mon, 08 Jan 2024 17:08:49 GMT

Hello,

I've setup radius for admins to logon to our 9800 (with ISE) but when I logon to the web admin portal I cant see any admin options. Just Monitoring and Dashboard.

CLI seems fine.

This is whats setup on the 9800:

aaa new-model aaa group server radius ISE server name ise-1 server name ise-2 aaa authentication login default local aaa authentication login radius-authe-method group ISE local aaa authentication dot1x ISE group ISE aaa authorization exec default local aaa authorization exec radius-autho-method group ISE radius server ise-1 address ipv4 10.52.7.106 auth-port 1812 acct-port 1813 key password ! radius server ise-2 address ipv4 10.52.7.104 auth-port 1812 acct-port 1813 key password line con 0 logging synchronous stopbits 1 line vty 0 4 authorization exec radius-autho-method login authentication radius-authe-method transport input ssh line vty 5 15 authorization exec radius-autho-method login authentication radius-authe-method transport input ssh line vty 16 50 transport input ssh ip http authentication aaa login-authentication radius-authe-method ip http authentication aaa exec-authorization radius-autho-method

ISE has this on the profile:

Access Type = ACCESS_ACCEPT
cisco-av-pair = shell:priv-lvl=15

Re: 9800-cl login with radius - shell:priv-lvl=15

Ruben Cocheno — Mon, 08 Jan 2024 17:29:19 GMT

@robbyde0100

That config looks ok to me, do you want to try to remove the following lines? you have already VTY covered so shouldn't be a problem.

aaa authentication login default local
aaa authorization exec default local

Re: 9800-cl login with radius - shell:priv-lvl=15

robbyde0100 — Mon, 08 Jan 2024 17:38:12 GMT

Thanks for getting back to me, I did

no aaa authentication login default local
no aaa authorization exec default local

Then logged on but had the same

I do see this on the console:

Re: 9800-cl login with radius - shell:priv-lvl=15

MHM Cisco World — Mon, 08 Jan 2024 17:50:35 GMT

show user
check the user appear in which VTY line

also can you confirm that that you access WLC via ISE user or access WLC via Local user
I know it hard if you use same username in both ISE and local but you can add privilege 15 to local username and hence you can full access to WLC if you use ISE or local.
MHM

Re: 9800-cl login with radius - shell:priv-lvl=15

MHM Cisco World — Mon, 08 Jan 2024 18:01:56 GMT

aaa authorization exec radius-autho-method group ISE LOCAL

you need also to add LOCAL to end of authz

MHM

Re: 9800-cl login with radius - shell:priv-lvl=15

robbyde0100 — Mon, 08 Jan 2024 18:10:05 GMT

Hi,

Thanks for the help.

I cant logon with the local 9800 admin account anymore.

Show users shows

9800#sh users
Line User Host(s) Idle Location
* 1 vty 0 robd idle 00:00:00 laptop.domain.com

I'm using domain auth so using my domain admin to logon to ise which is ok, shows a successful auth in ISE.

Is there config missing here for http:

line vty 0 4 authorization exec radius-autho-method login authentication radius-authe-method transport input ssh

Re: 9800-cl login with radius - shell:priv-lvl=15

MHM Cisco World — Mon, 08 Jan 2024 18:27:17 GMT

I dislike deal with authc and authz of Cisco
so you still can access to WLC ? via VTY SSH ?
MHM

Re: 9800-cl login with radius - shell:priv-lvl=15

Mark Elsen — Mon, 08 Jan 2024 18:30:24 GMT

- Not related to your original post but regarding to the console message :
%SYS-5-CONFIG_P: Configured programmatically by process SE_webui_wsma_http from console as ...

Take care and note : https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-cmdij-FzZAeXAy
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe12578

Re: 9800-cl login with radius - shell:priv-lvl=15

robbyde0100 — Mon, 08 Jan 2024 18:41:53 GMT

I can logon via ssh with my domain account and get to config.

Just the web gui that doesn't work. I could log a tac.

Re: 9800-cl login with radius - shell:priv-lvl=15

MHM Cisco World — Mon, 08 Jan 2024 19:07:31 GMT

debug radius

can you check by debug if radius return the AV priv 15 or not ?
MHM

Re: 9800-cl login with radius - shell:priv-lvl=15

robbyde0100 — Tue, 09 Jan 2024 08:51:14 GMT

Hi All,

Its fixed!!

So in ISE there are two options that look the same:

This one doesnt work (guest should have given it away):

This one does work:

Re: 9800-cl login with radius - shell:priv-lvl=15

MHM Cisco World — Tue, 09 Jan 2024 09:58:01 GMT

thanks a lot for update us
glad the issue solved
have a nice day
MHM

Re: 9800-cl login with radius - shell:priv-lvl=15

robbyde0100 — Tue, 09 Jan 2024 10:53:47 GMT

Thanks for all your help, really appreciate it.