Re: AAA Authorization levels with MS IAS

Esteban Talavera · ‎12-06-2012

Hi

I have Windows Server 2008 Enterprise edition and I configured IAS for authentication on a Cisco router.

Authentication works great, but authorization, at all.

I use have one IAS server Policies for users with level 15 and another one for users with level 5 (I customized the privilege level 5 to only shows).

privilege exec level 5 ping

privilege exec level 5 show

The configuration for autirization on the routers as follows

aaa authorization exec RAD_VTY group radius local

There is guide to configure autorization with Windows IAS?

Also how to bypass the enable secret password and use the user password instead with AAA?

Thanks

John Blakley · ‎12-06-2012

You'll need to configure a "Cisco-AV-Pair" for the user that you're wanting to authenticate. When they pass their authentication to the RADIUS server, the attribute pair that will be sent back with this one setting their privilege level. The attribute pair you'd configure is:

Cisco-AV-Pair=shell:priv-lvl=5

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Esteban Talavera · ‎12-06-2012

I set this av pair in a policy

When users log into the router, they get the user (>) prompt and when passing to enable they get full privileges.

I think the solution is to use different enable levels passwords

Or getting the #prompt at login (I do not how to force this with aaa authentication)

Sent from Cisco Technical Support iPhone App