I am setting up Radius AAA for cat6K switch.
For authentication its work and user can login to switch. But for the privilege level assignment, it does not work.
After loging in, I always get privilege 1.
I need your guide on how to configure on ACS 5.1, RADIUS Attribute.
I follow the document to configure the cisco-av-pair for assign Privilege 15 and Privilege 5 , but it does not work.
This attribute format was shown in document is to set Privilege 15, "shell:priv-lvl=15"
Please refer to my screen shoot, it is correct way of configure it on ACS 5.1
Solved! Go to Solution.
The av-pair does look to be correct, I wanted to know if you can verify that you are hitting the right authorization rule and also if you had "aaa authorization exec default group radius local" configured.
when making these changes so you dont lock yourself out please keep an active session open and test with another session. If you are setting this up in a lab (highly recommended) Please note that if you lock your self you can console into the device since you have to explicitly configure console authorization.
You can also test by issue the following debug - debug aaa authorization.
Hope this helps,
here the debug, it seem to be failed on authorization.
Jun 3 10:20:16.664: AAA: parse name=tty2 idb type=-1 tty=-1
Jun 3 10:20:16.664: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
Jun 3 10:20:16.664: AAA/MEMORY: create_user (0x47554DF0) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='172.29.17.7' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
Jun 3 10:20:19.976: tty2 AAA/AUTHOR/EXEC (1458495404): Port='tty2' list='' service=EXEC
Jun 3 10:20:19.976: AAA/AUTHOR/EXEC: tty2 (1458495404) user='cktan'
Jun 3 10:20:19.976: tty2 AAA/AUTHOR/EXEC (1458495404): send AV service=shell
Jun 3 10:20:19.976: tty2 AAA/AUTHOR/EXEC (1458495404): send AV cmd*
Jun 3 10:20:19.976: tty2 AAA/AUTHOR/EXEC (1458495404): found list "default"
Jun 3 10:20:19.976: tty2 AAA/AUTHOR/EXEC (1458495404): Method=ACS (radius)
Jun 3 10:20:19.976: AAA/AUTHOR (1458495404): Post authorization status = FAIL
Jun 3 10:20:19.976: AAA/AUTHOR/EXEC: Authorization FAILED
Jun 3 10:20:21.976: AAA/MEMORY: free_user (0x47554DF0) user='cktan' ruser='NULL' port='tty2' rem_addr='172.29.17.7' authen_type=ASCII service=LOGIN priv=1
Jun 3 10:21:12.868: AAA/AUTHOR: config command authorization not enabled
Jun 3 10:21:12.872: AAA/AUTHOR: config command authorization not enabled
Check your authorization rules and make sure you are hitting the correct rule which references the av-pair. In the debugs I do not see the av-pair being handed down.
With only debug aaa authorization enabled here is a sample of my debugs:
*Mar 8 03:19:40.002: AAA/BIND(0000000E): Bind i/f
*Mar 8 03:19:43.525: AAA/AUTHOR/EXEC(0000000E): processing AV priv-lvl=15
*Mar 8 03:19:43.525: AAA/AUTHOR/EXEC(0000000E): Authorization successful
Hope this helps.
Yes, there are hits of 17.
Network Access Authorization Policy
Filter: Match if:
Status Name Conditions Results Hit Count
NDG:Location Time And Date Identity Group NDG:Device Type Authorization Profiles
Netadmin-All in DiGi -ANY- in All Groups:Vendor-SU:HP in All Device Types Administrator 17