I've got radius authentication working on my switch, but I'm trying to allow two types of users login using Windows Active Directory. NetworkUsers who can view configuration and NetworkAdmins who can do anything. I would like for NetworkAdmins to when they login go directly into privilege level 15 but cant get that part to work. Here is my setup:

Windows 2008 R2 Domain controller with NPS installed.

Radius client: I have the IP of the switch along with the key. I have cisco selected under the vendor name in the advance tab

Network Policies:

NetworkAdmins which has the networkadmin group under conditions and under settings i have nothing listed under Standard and for Vendor Specific i have :

Cisco-AV-Pair    Cisco    shell:priv-lvl=15

My switch config:

aaa new-model
!
!
aaa group server radius MTFAAA
 server name dc-01
 server name dc-02
!
aaa authentication login NetworkAdmins group MTFAAA local
aaa authorization exec NetworkAdmins group MTFAAA local

radius server dc-01
 address ipv4 10.0.1.10 auth-port 1645 acct-port 1646
 key 7 ******
!
radius server dc-02
 address ipv4 10.0.1.11 auth-port 1645 acct-port 1646
 key 7 ******
!

No matter what i do it doesnt default to privilege level 15 when i login. Any thoughts