cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1794
Views
5
Helpful
5
Replies
Beginner

ACS 5.1 - Authorization Profile , RADIUS Attributes

HI,

I am setting up Radius AAA for cat6K switch.

For authentication its work and user can login to switch. But for the privilege level assignment, it does not work.
After loging in, I always get privilege 1.

I need your guide on how to configure on ACS 5.1,  RADIUS Attribute.

I follow the document to configure the cisco-av-pair for assign Privilege 15 and Privilege 5 , but it does not work.

This attribute format was shown in document is to set Privilege 15, "shell:priv-lvl=15"

Please refer to my screen shoot, it is correct way of configure it on ACS 5.1

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACS 5.1 - Authorization Profile , RADIUS Attributes

Date Created: 12-JUN-2011 05:56 AM Created By: Damani, Anisha A(ANDAMANI,279917) Problem :

=========

Authorization not working as expected

 

Resolution :

============

Added a service type of NAS-Prompt

5 REPLIES 5
Advocate

Re: ACS 5.1 - Authorization Profile , RADIUS Attributes

Hello,

The av-pair does look to be correct, I wanted to know if you can verify that you are hitting the right authorization rule and also if you had "aaa authorization exec default group radius local" configured.

when making these changes so you dont lock yourself out please keep an active session open and test with another session. If you are setting this up in a lab (highly recommended) Please note that if you lock your self you can console into the device since you have to explicitly configure console authorization.

You can also test by issue the following debug - debug aaa authorization.

Hope this helps,

Tarik Admani

Tarik Admani
*Please rate helpful posts*
Beginner

Re: ACS 5.1 - Authorization Profile , RADIUS Attributes

here the debug, it seem to be failed on authorization.

SHTMPLS1CE(config-line)#
Jun  3 10:20:16.664: AAA: parse name=tty2 idb type=-1 tty=-1
Jun  3 10:20:16.664: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
Jun  3 10:20:16.664: AAA/MEMORY: create_user (0x47554DF0) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='172.29.17.7' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
SHTMPLS1CE(config-line)#
Jun  3 10:20:19.976: tty2 AAA/AUTHOR/EXEC (1458495404): Port='tty2' list='' service=EXEC
Jun  3 10:20:19.976: AAA/AUTHOR/EXEC: tty2 (1458495404) user='cktan'
Jun  3 10:20:19.976: tty2 AAA/AUTHOR/EXEC (1458495404): send AV service=shell
Jun  3 10:20:19.976: tty2 AAA/AUTHOR/EXEC (1458495404): send AV cmd*
Jun  3 10:20:19.976: tty2 AAA/AUTHOR/EXEC (1458495404): found list "default"
Jun  3 10:20:19.976: tty2 AAA/AUTHOR/EXEC (1458495404): Method=ACS (radius)
Jun  3 10:20:19.976: AAA/AUTHOR (1458495404): Post authorization status = FAIL
Jun  3 10:20:19.976: AAA/AUTHOR/EXEC: Authorization FAILED
SHTMPLS1CE(config-line)#
Jun  3 10:20:21.976: AAA/MEMORY: free_user (0x47554DF0) user='cktan' ruser='NULL' port='tty2' rem_addr='172.29.17.7' authen_type=ASCII service=LOGIN priv=1


Jun  3 10:21:12.868: AAA/AUTHOR: config command authorization not enabled
Jun  3 10:21:12.872: AAA/AUTHOR: config command authorization not enabled

Advocate

Re: ACS 5.1 - Authorization Profile , RADIUS Attributes

Check your authorization rules and make sure you are hitting the correct rule which references the av-pair. In the debugs I do not see the av-pair being handed down.

With only debug aaa authorization enabled here is a sample of my debugs:

*Mar  8 03:19:40.002: AAA/BIND(0000000E): Bind i/f
*Mar  8 03:19:43.525: AAA/AUTHOR/EXEC(0000000E): processing AV priv-lvl=15
*Mar  8 03:19:43.525: AAA/AUTHOR/EXEC(0000000E): Authorization successful

Hope this helps.

thanks,

Tarik Admani

Tarik Admani
*Please rate helpful posts*
Highlighted
Beginner

Re: ACS 5.1 - Authorization Profile , RADIUS Attributes

Yes, there are hits of 17.

Network Access Authorization Policy  

Filter:           Match if:                                      

           Status      Name Conditions Results     Hit Count

NDG:Location      Time And Date     Identity Group    NDG:Device Type   Authorization Profiles

1          

Enabled

      Netadmin-All      in DiGi     -ANY- in All Groups:Vendor-SU:HP    in All Device Types      Administrator     17

Cisco Employee

Re: ACS 5.1 - Authorization Profile , RADIUS Attributes

Date Created: 12-JUN-2011 05:56 AM Created By: Damani, Anisha A(ANDAMANI,279917) Problem :

=========

Authorization not working as expected

 

Resolution :

============

Added a service type of NAS-Prompt