05-05-2006 07:04 PM - edited 03-10-2019 02:34 PM
In a lab, when I configure the following there is no issue logging into the switch using telnet/ssh:
aaa new-model
aaa authentication login default group radius
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
I have configured the following Cisco AV-pair on the AAA server:
shell:priv-lvl=15
When I login via telnet/ssh, there is no problem at all. However, when I login via console I do not get priv level? It authenticates me to user exec but no further.
If anyone has seen this I would greatly appreciate any help.
Thanks,
Solved! Go to Solution.
05-06-2006 02:07 AM
Hii christ
try this command aaa authorization console
where u defined the av pair value in shell or in ietf radius Att.
Try one thing just mark the exec button and then in previll level define 15
Regards
Manish
05-06-2006 06:45 AM
Christopher
By default Cisco does the authorization on the vty and not on the console. It is intended that way to give you access to the device if you misconfigure aaa authorization and lock yourself out of the device (it is not unusual for that to happen in the early stages of learning how to configure aaa). If you want it to authorize on the console (and put users directly into privilege mode) the command aaa authorization console should work for you.
HTH
Rick
05-06-2006 01:30 AM
Hi,
By right, with 'login default..', it should be applied to all interfaces, .e.g vty 0 4.
Anyway, maybe you can try to manually apply the 'login authentication default' under console (con 0), or create separate aaa authentication with different name and apply it to con 0.
Rgds,
AK
05-06-2006 01:41 AM
Got your point, will test it in my lab.. :)
05-06-2006 02:07 AM
Hii christ
try this command aaa authorization console
where u defined the av pair value in shell or in ietf radius Att.
Try one thing just mark the exec button and then in previll level define 15
Regards
Manish
05-06-2006 06:45 AM
Christopher
By default Cisco does the authorization on the vty and not on the console. It is intended that way to give you access to the device if you misconfigure aaa authorization and lock yourself out of the device (it is not unusual for that to happen in the early stages of learning how to configure aaa). If you want it to authorize on the console (and put users directly into privilege mode) the command aaa authorization console should work for you.
HTH
Rick
05-06-2006 10:50 AM
Gents,
Thank you all for the tremendous feedback, you have all been of a great help.
aaa authorization console worked as anticipated.
This was one of those unlisted IOS commands that drove me crazy.
Again thank you to everyone for all your help.
I have one last question.
Would anyone happen to know how to secure the web management (http secure server) in the same manor? I want to give users the ability to login to the web interface via radius.
I thought the command was aaa authorization websomething? But I can not remember?
Thanks again
,
05-06-2006 12:08 PM
Christopher
I have not used this on a live router so can not speak from much experience. But I believe that you will find your solution in this command:
router_vpn(config)#ip http authentication aaa ?
command-authorization Set method list for command authorization
exec-authorization Set method list for exec authorization
login-authentication Set method list for login authentication
I believe that it will set authentication for http secure server as well as the http server (though since I have not done it I can not say for sure).
HTH
Rick
05-08-2006 04:32 AM
Thank you for the prompt response once again.
I have tried the following to no avail:
aaa authentication login abc group radius local
aaa authorization exec abc group radius if-authenticated local
ip http authentication aaa login-authentication abc
ip http authentication aaa exec-authorization abc
ip http authentication aaa command-authorization 15 abc
The following is not support in the IOS that I am running:
aaa authorization commands 15 abc group radius if-authenticated local
The only option for me is:
aaa authorization commands 15 abc group tacacs+ if-authenticated local
There must be a way to configure this. I will continue to research.
Thank you for your help again.
Take care,
05-06-2006 07:01 AM
Hi,
Tested by adding one line to console 0:
line con 0
privilege level 15
*Access authentication will still go through radius.
From the test, I can see that access via telnet & ssh will automatically give you the "#" (router#), but when you access it via console, your prvilege level is limited to "router>".
If you intend to manage your router, tacacs+ is probably best option to use (more control over commands). And also, you might consider to use local database as the last resort/option to authenticate access to router in case your AAA server unreachable/down.
Pls rate if you find this solution useful. Thanks.
Rgds,
AK
05-06-2006 10:59 AM
Thank you for your post.
I did test this and it does work.
However I would prefer to have AAA/Radius control this by doing it this way instead:
aaa authorization console
Again, thank you for your help,
Take care,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide