Solved: Re: AAA & Radius

87305 · ‎05-05-2006

In a lab, when I configure the following there is no issue logging into the switch using telnet/ssh:

aaa new-model

aaa authentication login default group radius

aaa authorization exec default group radius if-authenticated

aaa accounting exec default start-stop group radius

I have configured the following Cisco AV-pair on the AAA server:

shell:priv-lvl=15

When I login via telnet/ssh, there is no problem at all. However, when I login via console I do not get priv level? It authenticates me to user exec but no further.

If anyone has seen this I would greatly appreciate any help.

Thanks,

manish.gaur · ‎05-06-2006

Hii christ

try this command aaa authorization console

where u defined the av pair value in shell or in ietf radius Att.

Try one thing just mark the exec button and then in previll level define 15

Regards

Manish

View solution in original post

Richard Burts · ‎05-06-2006

Christopher

By default Cisco does the authorization on the vty and not on the console. It is intended that way to give you access to the device if you misconfigure aaa authorization and lock yourself out of the device (it is not unusual for that to happen in the early stages of learning how to configure aaa). If you want it to authorize on the console (and put users directly into privilege mode) the command aaa authorization console should work for you.

HTH

Rick

HTH

Rick

View solution in original post

a.kiprawih · ‎05-06-2006

Hi,

By right, with 'login default..', it should be applied to all interfaces, .e.g vty 0 4.

Anyway, maybe you can try to manually apply the 'login authentication default' under console (con 0), or create separate aaa authentication with different name and apply it to con 0.

Rgds,

AK

a.kiprawih · ‎05-06-2006

Got your point, will test it in my lab.. :)

manish.gaur · ‎05-06-2006

Hii christ

try this command aaa authorization console

where u defined the av pair value in shell or in ietf radius Att.

Try one thing just mark the exec button and then in previll level define 15

Regards

Manish

Richard Burts · ‎05-06-2006

Christopher

By default Cisco does the authorization on the vty and not on the console. It is intended that way to give you access to the device if you misconfigure aaa authorization and lock yourself out of the device (it is not unusual for that to happen in the early stages of learning how to configure aaa). If you want it to authorize on the console (and put users directly into privilege mode) the command aaa authorization console should work for you.

HTH

Rick

HTH

Rick

87305 · ‎05-06-2006

Gents,

Thank you all for the tremendous feedback, you have all been of a great help.

aaa authorization console worked as anticipated.

This was one of those unlisted IOS commands that drove me crazy.

Again thank you to everyone for all your help.

I have one last question.

Would anyone happen to know how to secure the web management (http secure server) in the same manor? I want to give users the ability to login to the web interface via radius.

I thought the command was aaa authorization websomething? But I can not remember?

Thanks again

,

Richard Burts · ‎05-06-2006

Christopher

I have not used this on a live router so can not speak from much experience. But I believe that you will find your solution in this command:

router_vpn(config)#ip http authentication aaa ?

command-authorization Set method list for command authorization

exec-authorization Set method list for exec authorization

login-authentication Set method list for login authentication

I believe that it will set authentication for http secure server as well as the http server (though since I have not done it I can not say for sure).

HTH

Rick

HTH

Rick

87305 · ‎05-08-2006

Thank you for the prompt response once again.

I have tried the following to no avail:

aaa authentication login abc group radius local

aaa authorization exec abc group radius if-authenticated local

ip http authentication aaa login-authentication abc

ip http authentication aaa exec-authorization abc

ip http authentication aaa command-authorization 15 abc

The following is not support in the IOS that I am running:

aaa authorization commands 15 abc group radius if-authenticated local

The only option for me is:

aaa authorization commands 15 abc group tacacs+ if-authenticated local

There must be a way to configure this. I will continue to research.

Thank you for your help again.

Take care,

a.kiprawih · ‎05-06-2006

Hi,

Tested by adding one line to console 0:

line con 0

privilege level 15

*Access authentication will still go through radius.

From the test, I can see that access via telnet & ssh will automatically give you the "#" (router#), but when you access it via console, your prvilege level is limited to "router>".

If you intend to manage your router, tacacs+ is probably best option to use (more control over commands). And also, you might consider to use local database as the last resort/option to authenticate access to router in case your AAA server unreachable/down.

Pls rate if you find this solution useful. Thanks.

Rgds,

AK

87305 · ‎05-06-2006

Thank you for your post.

I did test this and it does work.

However I would prefer to have AAA/Radius control this by doing it this way instead:

aaa authorization console

Again, thank you for your help,

Take care,