Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
612
Views
0
Helpful
0
Replies

Cisco AAA authentication with windows radius server

nreynolds2240
Level 1
Level 1

‎01-21-2015 06:44 AM - edited ‎03-10-2019 10:22 PM

Cisco - Windows Radius problems


I need to created a limited access group through radius that I can have new network analysts log into
and not be able to commit changes or get into global config.

Here are my current radius settings

aaa new-model
!
!
aaa group server radius IAS
 server name something.corp
!
aaa authentication login USERS local group IAS
aaa authorization exec USERS local group IAS
!
radius server something.corp
 address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
 key mypassword
!
line vty 0 4
 access-class 1 in
 exec-timeout 0 0
 authorization exec USERS
 logging synchronous
 login authentication USERS
 transport input ssh

 

When I log in to the switch, the radius server is passing the corrrect attriubute
***Jan 21 13:59:51.897: RADIUS:   Cisco AVpair       [1]   18  "shell:priv-lvl=7"


The switch is accepting it and putting you in the correct priv level.
***Radius-Test#sh priv
   Current privilege level is 7


I am not sure why it logs you in with the prompt for  privileged EXEC mode when
you are in priv level 7. This shows that even though it looks like your in priv exec
mode, you are not.
***Radius-Test#sh run
                ^
   % Invalid input detected at '^' marker.

   Radius-Test#


Now this is where I am very lost.
I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
global config mode.
***Radius-Test#enable
   Radius-Test#

Debug log -
Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)


Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
***Radius-Test#sh priv
   Current privilege level is 15
   Radius-Test#


I have tried to set
***privilege exec level 15 enable

It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
Even if I try to do
***privilege exec level 7 show running-config (or other variations)

It will allow you to type sh run without errors, but it doest actually run the command.

What am I doing wrong?
I also want to get PKI working with radius.

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents