Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1351
Views
0
Helpful
4
Replies

IAS/AAA Radius - priv levels

will.alvord
Level 5
Level 5

‎02-09-2009 02:35 PM - edited ‎03-10-2019 04:19 PM

I've got AAA radius authentication setup with IAS in lab, but I haven't been able to nail down the priv levels. I've got 2 remote access policies matching windows-groups & client-ip of the router in question. In both policies, I have service-type with value login and vendor-specific Cisco with value of shell:priv-lvl=7 for the 1st and shell:priv-lvl=15 for the 2nd. The policies are ordered that way (7 for the 1st, and 15 for the 2nd). I authenticate fine for test users in the group assigned to the 1st as well as the 2nd. However, I end up in exec mode. When I enter privileged mode for both, a sh priv tells me that I'm in priv 15.

How do I go about restricting access?

thanks,

Will

Labels:
0 Helpful
4 Replies 4

will.alvord
Level 5
Level 5

‎02-10-2009 08:35 AM

Basically, I want to be able to have 2 users - 1 with priv 7 and 1 with priv 15.

In IOS, I could do that with the following:

username user7 privilege 7 secret cisco7

username user15 privilege 15 secret cisco15

I've got basic IAS Radius authentication working but no matter what privilege level I specify in the 'shell:priv-lvl=x' vendor specific attribute, that user elevates to priv 15 when entering enable.

Any ideas?

thanks,

Will

0 Helpful

will.alvord
Level 5
Level 5

‎02-10-2009 01:55 PM

Nevermind. Figured it out.

0 Helpful

hunnetvl01
Level 1
Level 1
In response to will.alvord

‎02-14-2009 06:28 AM

Hi ,

I have and IAS server but I can t get it to work with the 4506, actually it does not work with any device.

The strange fact is that seems to be working fine as my AD gets locked out after the 3rd failed attempt.

Can I have a short look at your policies confguration?

Thanks,

Vlad

0 Helpful

will.alvord
Level 5
Level 5
In response to hunnetvl01

‎02-17-2009 07:17 AM

Sure thing. I haven't finalized the catos or pix/asa configs for this yet, but maybe you can help me out with that.

I have a need to limit access on a per device, per person basis, so I have 1 policy per access level and per device.

So, for priv 7 access to a router I have the following policy:

* policy conditions: windows group AND client-IP-Address matches [IP]

* Grant remote access

* Authentication tab - only unencrypted (pap, spap)

* Advanced tab - service-type = nas prompt, vendor-specific = shell:priv-lvl=7, reply-message for testing but may remove it.

Please note that the service-type attribute doesn't appear to matter. I've changed it as some writeups say to use login, while others say to use nas prompt. Either works, but I haven't tried removing it altogether. Also, the shell:priv-lvl=x string can be either a vendor-specific attribute or a Cisco-AV-Pair.

For the radius clients, I've tried both 'RADIUS Standard' as well as 'Cisco' and they both work fine.

If that doesn't fix it for you, try the aaa and radius debugs and check the IAS logs.

Hope that helps, and when you get it working could you please post your asa AAA configs?

thanks,

Will

0 Helpful
Customers Also Viewed These Support Documents