Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1046
Views
0
Helpful
2
Replies

Radius and IAS won't login to level 15

spectre03
Level 1
Level 1

‎12-14-2004 12:32 PM - edited ‎03-10-2019 01:55 PM

I think I have something a little wrong, I have things working for login via radius but when I authenticate it only gives me privilege level 1 when I have "shell:priv-lvl=15" in the IAS config followed by Login per several doc's I have found. Here is the config I am using on the routers.

aaa new-model

aaa authentication login default group radius

aaa authentication login if_needed local

aaa authorization exec default group radius if-authenticated

aaa session-id common

radius-server host 10.x.x.x auth-port 1645 acct-port 1646

radius-server retransmit 3

radius-server key 7 <key>

privilege exec level 2 enable

username <admin> password <password>

line con 0

privilege level 2

login authentication if_needed

Anyone know of something I am missing?

I am on IOS 12.3(11)T with Win 2K IAS server.

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎12-14-2004 02:35 PM

If you're trying to get this to work on the console, then be aware that authorization (which is what is used for privilege level assignment) is turned OFF on the console port by default. This is by design so that the console port is always a back-door entry in case you lock yourself out of the router, which is easy to do with authorization. The theory is that if someone has access to your console port, you have a lot more to worry about than authorization.

If you really want authorization on the console, then you can enable it with the hidden command:

aaa authorization console

0 Helpful

spectre03
Level 1
Level 1
In response to gfullage

‎12-14-2004 06:43 PM

Actually your correct in your assumption I am not trying to do this on the console, yet. Once I have full monitoring up so I can see downtime on each one and check for changes (or preffereably just set up network loads) then it will be a predominately moot point. However the trouble I am having now isn't that it's not working on the console port, it's that it will only give me an exec prompt and not an enable prompt and capabilities. I think I am just not putting it all together correctly. This should be only for the vty sessions and telnet access at this point. I can put a local pass on the console connection and be happy as a clam for now.

0 Helpful
Customers Also Viewed These Support Documents