01-26-2011 09:11 AM - edited 03-10-2019 05:45 PM
Hi experts,
I guess I never really understand the authentication process on Cisco routers and devices lol. Anyway I want users with privilege level 15 to be put in the enable mode right away after login without having to type in "enable" command and enable password. Users with other privilege levels will still be put in the EXEC mode.
AAA has to be enabled because I'm using it for 802.1x as well.
The privilege level eventually will be assigned by Radius server but right now the user is created locally on the switch. Right now I have:
aaa new-model
!
username admin privilege 15 secret 5 $1$2bdl$VIp53G4/zpo4f9aHh.t5v0
username cisco secret 5 $1$NGdD$ehTUzwappJFMxgA7tM/YW.
!
line vty 0 5
access-class 100 in
exec-timeout 30 0
logging synchronous
transport input ssh
And it's not working lol. No matter I log in with "admin" or "cisco" I'm put in EXEC mode... What do I have to do to achieve this?
Thanks!
Solved! Go to Solution.
01-26-2011 09:39 AM
On the cisco device issue the below listed command
aaa authorization exec default group radius local
On the radius server if its ACS or IAS
set the service type attribute like this
services-type=Administrative
doing this, user will be start landing in privelege exec mode #
Regards,
Jatin
Do rate helpful posts-
01-26-2011 09:39 AM
On the cisco device issue the below listed command
aaa authorization exec default group radius local
On the radius server if its ACS or IAS
set the service type attribute like this
services-type=Administrative
doing this, user will be start landing in privelege exec mode #
Regards,
Jatin
Do rate helpful posts-
01-27-2011 07:03 AM
Hi,
The with default keyword authorization will get applied on all the lines i.e. CONSOLE, VTY, AUX.
In case you want it for users who are trying to login to via ssh or telnet use the following:
EXEC AUTHORIZATION
Router
router(config)#aaa authorization exec TEL GRoup radius local
router(config)#line vty 0 15
router(config-line)#authorization exec TEL
ACS
Interface configuration
Check user & group for cisco av-pair.
User setup à cisco ios/pix 6.x radius attributes àcisco av-pair [ shell:priv-lvl=15]
OR
Group setup à ios/pix 6.x radius attributes à shell:priv-lvl=15
In case of radius if exec authorization is enabled and if have not specified any privilege level in the ACS server. Then user will fall under the privilege level 1 and if enable authentication is enabled or enable password is defined on the router then we can go to enable mode by typing en or en
Regards,
Anisha
P.S.: please mark this thread as resolved if you think your query is answered.
01-27-2011 03:17 PM
Thanks guys!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide