Hi,
I was hoping to get some clarity on why my config behaves the way it does. I am configuring a priv level 7 for our support team to log into switches and clear port-security errors, shut/no shut ports . I want the authentication to use RADIUS.
On our RSA server (RADIUS) we have a RADIUS profile configured and applied to our switch, this pass the shell:priv-lvl=7 command to the switch , and the members of this radius profile are our support team.
Switch config is:
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated
enable secret 5 $1$8kQg$COXCBjgVf3eX1UXwsHfYu/
privilege interface level 7 no shutdown
privilege interface level 7 shutdown
privilege interface level 7 do show
privilege interface level 7 switchport access vlan
privilege configure level 7 int gigabitethernet
privilege configure level 7 interface gigabitethernet
privilege configure level 7 interface
privilege exec level 7 configure
privilege exec level 7 show log
privilege exec level 7 show int status
privilege exec level 7 show int status err-disabled
privilege exec level 7 clear port-security sticky interface
privilege exec level 7 clear port-security sticky address
privilege exec level 7 conf t
privilege exec level 7 clear port-security sticky interface gigabitethernet
Here's how it behaves:
1. Anyone logs in, the RADIUS auth works and they are given priv level 7 (this applies to members and non-members of the RADIUS profile...).
2. We then have to enable 15 and enter the enable secret to reach admin (level 15).
This is good (because in essence, we want everyone to have lower priv levels and only admins to reach 15). But it's only by accident I realised that this is how it was working (at first, I was stumped because the switch was always at priv level 15 unless I applied the radius profile, and then I couldn't get out of level 7, I accidently typed 'enable' and it worked!). I am CCNA level (never touched priv/radius before) so my question is:
a) Why does the switch need the enable password to get the priv 15? Where is this set..?
b) For Authorization, is if-authenticated the correct failsafe to use? My understanding of this command is that if the user can authenticate via radius, but authorization fails for some reason then they will be given exec level access to the switch because they authenticated?
c) Does anyone have any best practice/other suggestions on how to implement priv levels? Ideally I'd like to remove the option to access Interface Port-channel and limit the interface configure to gigabitethernet interfaces only, but can't seem to do this.
Thanks in advance,