08-02-2013 08:35 AM - edited 03-03-2019 07:08 AM
I have spent a while looking around, done alot of reading and havent been able to get my lab to work.
I am trying to get the a router to assign the privalge level based on a Windows group using Microsoft NPS (latest incarnation of IAS).
So I done alot of reading but it seems the AV-pair on the Radius server has no impact on the level the user logged on can access.
My Router has the following config
aaa new-model
!
!
aaa group server radius RadSrv
server name NPS1
!
aaa authentication login VTY local group RadSrv
aaa authorization exec VTY local group RadSrv
!
radius server NPS1
address ipv4 192.168.0.12 auth-port 1645 acct-port 1646
key password
!
line vty 0 4
authorization exec VTY
login authentication VTY
transport input telnet ssh
The Radius server has the following configured
Standard Attribute
Name: Service type
Number: 6
Value: NAS Prompt
Vendor Specific
Name: Cisco-AV-Pair
Vendor: Cisco
Value: shell:priv-lvl=1
But when i log on with a user that matches this profile i get the following fromt he debug and prompt
Username: hrg1
Password:
!
R1>show pri
R1>en
R1#show pri
R1#show privilege
Current privilege level is 15
and debug
Aug 2 15:35:04.794: AAA/BIND(0000002F): Bind i/f
Aug 2 15:35:04.794: AAA/AUTHEN/LOGIN (0000002F): Pick method list 'VTY'
Aug 2 15:35:10.666: AAA/AUTHOR (0x2F): Pick method list 'VTY' - PASS
Aug 2 15:35:10.666: AAA/AUTHOR/EXEC(0000002F): processing AV priv-lvl=1
Aug 2 15:35:10.666: AAA/AUTHOR/EXEC(0000002F): processing AV service-type=7
Aug 2 15:35:10.666: AAA/AUTHOR/EXEC(0000002F): Authorization successful
Aug 2 15:35:15.226: AAA/AUTHOR: auth_need : user= 'hrg1' ruser= 'one'rem_addr= '192.168.0.6' priv= 0 list= '' AUTHOR-TYPE= 'command'
Aug 2 15:35:15.226: AAA: parse name=tty11 idb type=-1 tty=-1
Aug 2 15:35:15.226: AAA: name=tty11 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=11 channel=0
Aug 2 15:35:15.226: AAA/MEMORY: create_user (0x873541FC) user='hrg1' ruser='NULL' ds0=0 port='tty11' rem_addr='192.168.0.6' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
Aug 2 15:35:15.230: AAA/AUTHEN/START (1138619649): port='tty11' list='VTY' action=LOGIN service=ENABLE
Aug 2 15:35:15.230: AAA/AUTHEN/START (1138619649): console enable - default to enable password (if any)
Aug 2 15:35:15.230: AAA/AUTHEN/START (1138619649): Method=ENABLE
Aug 2 15:35:15.230: AAA/AUTHEN(1138619649): can't find any passwords
Aug 2 15:35:15.230: AAA/AUTHEN (1138619649): status = ERROR
Aug 2 15:35:15.230: AAA/AUTHEN/START (1138619649): Method=NONE
Aug 2 15:35:15.230: AAA/AUTHEN (1138619649): status = PASS
Aug 2 15:35:15.230: AAA/MEMORY: free_user (0x873541FC) user='hrg1' ruser='NULL' port='tty11' rem_addr='192.168.0.6' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
It seems to get the privilege level when the user logs in but no restrictions when entering enable mode
08-05-2013 01:45 AM
Guess its going to be a TAC case then.
I wounder if anybody has got this working
08-05-2013 07:54 AM
Username: hrg1
Password:
!
R1>show pri
R1>en
R1#show pri
R1#show privilege
Current privilege level is 15
Technically, if you're putting a level 15 enable password in then the user is level 15 regardless of the initial login. You'll need to set an enable level for the level that you're wanting:
R1>enable
Password:
R1#sh priv level
R1#sh priv
Current privilege level is 15
R1#disa
R1>enable 3
Password:
R1#sh priv
Current privilege level is 3
R1#disab
R1>en
Password:
R1#sh run | i enable
enable secret level 3 5 $1$ZWgd$pmqbBMhM3AoUbLNWfdRrc/
enable secret 5 $1$UC3a$Q6MM8v3RHo4CZp6G0CMtV/
R1#
If the user only knows their level and password, you shouldn't have any worries about them getting in at the highest level.
HTH,
John
*** Please rate all useful posts ***
08-07-2013 12:52 AM
I not clear on what you mean sorry.
I didn't have a username or enable password on the config, are you saying that is my problem?
I will give it a try, but that would mean i cant controll access levels via the AD group setting
08-10-2013 12:20 AM
Hallo Andrew,
as far as I can see, the method for the enable mode in your configuration is still local and you have no enable password/secret configured locally.
Could you try
aaa authentication enable default group RadSrv [] [ ]
[
Hope that helps
Rolf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide