Solved: Microsoft IAS 2003 login authentication issues

sloov187 · ‎09-14-2008

I have searched and searched for an answer to this, but noghting seems to be working. I have IAS authenticating users for login authentication on a 1230ag AP and a 2950 switch using Active Directory for the user database. I have it working just fine except for the fact that I can't get the device and IAS to send the user directly to enable mode even after adding the "shell:priv-lvl=15" vendor attribute to the access policy. Will someone post the steps that have worked for them that allows AAA login authentication with local users database for a backup? Any help would be much appreciated. I should add that it only allows me level 1 access on the console, telnet, and web interface (on the AP) and I did a debug on the AAA process and though I didn't copy it to a txt file it looked as though the "shell:priv-lvl=15" was reaching the AP and the switch. Thanks.

Premdeep Banga · ‎09-18-2008

I get it, you have "Permanent" list applied on the device.

Add following command. If you make some changes in your configuration. I request you to also provide the configuration changes.

add the commands,

username privilege 15 password

radius-server host key

aaa authentication login default group radius local

aaa authorization exec default group radius local

line vty 0 4 or line vty 0 15

login authentication default

authorization exec default

Regards,

Prem

Please rate if it helps!

View solution in original post

Premdeep Banga · ‎09-19-2008

ip http server

ip http authentication aaa

Should take care of it.

View solution in original post

Premdeep Banga · ‎09-22-2008

aaa authentication login CON local

line con 0

login authentication CON

privilege level 15

Regards,

Prem

Please rate if it helps!

View solution in original post

Premdeep Banga · ‎09-15-2008

Make sure you have following commands on switch/AP

username privilege 15 password

radius-server host key

aaa authentication login default group radius local

aaa authorization exec default group radius local

On you IAS server,

Choose the Service Type as Administrative. (Under Advanced Tab for a Radius Access Policy)

Regards,

Prem

Please rate if it helps!

sloov187 · ‎09-15-2008

So instead of using the Service Type of Login I need to use the Service Type of Administrative? Do I still need to have the Cisco VA of "shell:priv-lvl=15" in the access policy? Also do I leave all of the RADIUS types in IAS set to Cisco or Radius Standard?

Thanks

Premdeep Banga · ‎09-16-2008

Have you tried this yet ?

You need Service type administrative. You can use cisco av pair to later on pass the custom/required privilege level, else it will automatically get privilege level 15.

Regards,

Prem

Please rate if it helps!

sloov187 · ‎09-17-2008

After following your directions the following attached documents on the AAA debug and the telnet screen are what I get. Basically it looks like by using this method my request doesn't even reach the IAS sever even though I know I have the IP and the shared secret in properly.

Premdeep Banga · ‎09-17-2008

"debug aaa authentication" wont help.

You need to get "debug radius"

Regards,

Prem

Premdeep Banga · ‎09-17-2008

Also as you are using authorization.

debug aaa authentication

debug aaa authorization

debug radius

Regards,

Prem

sloov187 · ‎09-17-2008

Yes I did run a debug on all three and that was the output.

Premdeep Banga · ‎09-18-2008

I get it, you have "Permanent" list applied on the device.

Add following command. If you make some changes in your configuration. I request you to also provide the configuration changes.

add the commands,

username privilege 15 password

radius-server host key

aaa authentication login default group radius local

aaa authorization exec default group radius local

line vty 0 4 or line vty 0 15

login authentication default

authorization exec default

Regards,

Prem

Please rate if it helps!

sloov187 · ‎09-19-2008

Thanks Prem! That works perfectly. When I was trying it before I forgot to put the "authorization exec default" command in. Three more questions for you:

1. Using this method does it default back to the local list if the RADIUS server is unavailable?

2. How do I apply these same rules to the HTTP web interface?

3. What commands do I use if I want to set up a user group that I want to give a privilege level of something other than 15 to?

Thanks again!

Premdeep Banga · ‎09-19-2008

1. Using this method does it default back to the local list if the RADIUS server is unavailable?

Answer: Yes, using the local username/password configured on the device.

2. How do I apply these same rules to the HTTP web interface?

Answer :

ip http server

ip http authentication aaa

3. What commands do I use if I want to set up a user group that I want to give a privilege level of something other than 15 to?

Answer :

[Edit]Using cisco-av-pair i.e. shell:priv-lvl=n;

Where , n is the privilege level.

Regards,

Prem

Please rate if it helps!

sloov187 · ‎09-19-2008

Do I leave the service type as Administrative for the different privilege levels or do I change it back to Login?

Premdeep Banga · ‎09-19-2008

Leave it to administrative

sloov187 · ‎09-19-2008

Thanks for your help it has been much appreciated. I'll rate this post.

sloov187 · ‎09-19-2008

Oops one more thing. How do I set it up to authenticate users in SDM?