03-31-2016 06:46 PM - edited 03-10-2019 11:37 PM
I have a what I consider to be an issue. I'm running OpenLDAP integrated with FreeRadius and I have a NetworkAdmins group configured. This group, I want to have full priv15 and the users should drop into enable mode upon their initial successful log in. I've added the below to the /etc/raddb/users file but for some reason it still asks for an enable password.
Service-Type = NAS-Prompt-User,
cisco-avpair :="shell:priv-lvl=15"
I have it working to where the user can authenticate into enable/exec mode but that only works when I create a user "$enab15$" and a password. It appears when you type enable in the cisco it sends another authentication request to FreeRadius with that name.
My goal is to have two LDAP groups
1. NetworkAdmins - privilege level 15
2. NetworkOperators - privilege level 1
There has to be a way to do this.
Any suggestions?
04-01-2016 04:42 AM
Can you show us the AAA configuration on your router? I suspect you're missing exec authorization.
Javier Henderson
Cisco Systems
04-01-2016 08:06 AM
I do have that command...and I figured out what the issue was. Here it is....
I had to do the following in the /etc/raddb/users file
DEFAULT LDAP-Group := NetworkAdmins <----this is your LDAP group to be allowed
Server-Type = NAS-Prompt-Users,
cisco-avpair = "shell:priv-lvl=15"
From here I'm going to add another LDAP group with level 1 and see if I can get that to work.
Thanks for your response!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide