Solved: Re: Cisco 5K switch radius logins have reduced priviledge

support1@lima.co.uk · ‎05-09-2023

Hi,

I have configured radius on some N5K-C5672UP switches. Running 7.3(13)N1(1).

I can login using my AD credentials but for some reason I seem to have a reduced privilege level and cannot see all commands when doing a conf t.

L1N5K02-P(config)# ?
no Negate a command or set its defaults
username Configure user information.
end Go to exec mode
exit Exit from command interpreter

L1N5K02-P(config)#

When I login as a local admin I can configure more of the device but I am unable to set the VTY line to 15

L1N5K02-P(config)# line vty
L1N5K02-P(config-line)# ?
absolute-timeout Configure absolute timeout
access-class Specify IPv4 access control for packets
exec-timeout Configure exec timeout
ip Configure IP features
ipv6 Configure IPv6 features
logout-warning Configure logout warning
no Negate a command or set its defaults
session-limit Set the max no of concurrent vsh sessions
end Go to exec mode
exit Exit from command interpreter
pop Pop mode from stack or restore from name
push Push current mode to stack or save it under name
where Shows the cli context you are in

L1N5K02-P(config-line)#

I believe the NPS server is setup correct as my AD account is working correctly for other network devices.

MHM Cisco World · ‎05-10-2023

I am sorry but can you share good resolution image
you must use only network-admin not both.
the user either network-operator or admin here we need it to be admin

Cisco-AVPair = shell:roles=\network-operator network-admin\

OR select one that work for you not add both under attribute 5000

Cisco-AVPair = shell:roles*\network-operator network-admin\

thanks
MHM

View solution in original post

M02@rt37 · ‎05-09-2023

Hello support1@lima.co.uk,

Please share the output of the aaa configuration on your Nexus.

You perhaps need to adjust the privilege level settings in your RADIUS configuration. Do you have something like this ?

aaa group server radius radius-group
server <radius-server-ip-address>
use-vrf management
source-interface <management-interface>
! 
aaa authentication login default group radius-group local 
!

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

support1@lima.co.uk · ‎05-09-2023

Hi, please see below

L1N5K02-P# show run | i radius
radius-server key 7 "swwxoomi"
radius-server retransmit 3
radius-server host 10.200.103.112 authentication accounting
radius-server host L1RADIUS04V authentication accounting
aaa group server radius RADIUS1
ip access-list copp-system-acl-tacacsradius
ip radius source-interface mgmt0
L1N5K02-P#

L1N5K02-P# show run | i aaa
aaa group server radius RADIUS1
aaa authentication login default group RADIUS1 local
aaa accounting default group RADIUS1 local

MHM Cisco World · ‎05-09-2023

The radius retrun privilege level with accept message.

You need to return to radius server and add user admin with privilege 15.

support1@lima.co.uk · ‎05-09-2023

Sorry I di not follow. Are you saying the configuration on the radius server is incorrect?

support1@lima.co.uk · ‎05-09-2023

User is in the Cisco-Admin workgroup and priv is set to 15

M02@rt37 · ‎05-09-2023

support1@lima.co.uk,

You need on your NPS another Cisco AV-Pair

shell:roles*network-admin

More details: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215525-use-radius-for-device-administration-wit.html

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

support1@lima.co.uk · ‎05-10-2023

We are not using ISE in this deployment, does it still require the missing shell:roles=*network-admin

support1@lima.co.uk · ‎05-10-2023

I have added the additional configuration the the NPS server

Still not able to have full level 15 priviledges when logging in.

MHM Cisco World · ‎05-10-2023

Cisco-AVPair = shell:roles=\network-operator network-admin\

Cisco-AVPair = shell:roles*\network-operator network-admin\

this how you config the AVPair,

support1@lima.co.uk · ‎05-10-2023

HI HMH,

I have change the settings to the below. Still have a reduced level of management.

This is my conf t ? output

MHM Cisco World · ‎05-10-2023

I am sorry but can you share good resolution image
you must use only network-admin not both.
the user either network-operator or admin here we need it to be admin

Cisco-AVPair = shell:roles=\network-operator network-admin\

OR select one that work for you not add both under attribute 5000

Cisco-AVPair = shell:roles*\network-operator network-admin\

thanks
MHM

support1@lima.co.uk · ‎05-10-2023

Hi,

I have removed the network operator but is this required as on the switch it states my account is a network-operator. Should this be matching on NPS and switch?

roles:network-operator
user:mike.allen_adm

MHM Cisco World · ‎05-10-2023

the attribute 5000 is only for the role and it accept only one value
I see three value under the attribute 5000 , am I correct ?

support1@lima.co.uk · ‎05-10-2023

Yes there are 3 values in the 5000 attribute. Should it only have the shell:roles*\network-admin\ and remove the priv 15 and other shell role value? I thought you could have more than one value in the 5000 attribute..