Re: AAA radius server with Cisco SWs, dynamic shell priviliages.

asdrewaqf · ‎02-27-2024

Hello Team,

I need your assistance, I've trying to configure radius authentication with Cisco switch to be authenticated from the NPS server, as shown below I've created 2 network policies on the NPS radius server first policy for TLs with shell-priv=15 and the other one for half admin read-only with shell-priv=7

whenever anyone tries to access the switch it grants him access with shell-priv=15 even when it hits on the half-admin policy with shell-priv=7

can anyone assist me? do I have to configure something else or do I miss anything?

MHM Cisco World · ‎02-27-2024

Can I see vty line config

Also can I see

Debug aaa authorization

MHM

asdrewaqf · ‎02-27-2024

vty config

MHM Cisco World · ‎02-27-2024

It seem to me that radius push both priv,

Add new user but without push service type and Access permission and try access using this new user

MHM

asdrewaqf · ‎02-27-2024

sorry man, i think u confused as the provided SS, have 2 different IPs with 2 different users so i think u doubted that the radius has pushed 2 shell values

MHM Cisco World · ‎02-27-2024

So debug for two different IP not one IP? If yes then

Show privilege, İ think it is privilege 7 but it and privilege above one will appear with #

Do show privilege for both user and check exact privilege

MHM

asdrewaqf · ‎02-27-2024

it shows 15, however the radius is sending shell-priv=7

MHM Cisco World · ‎02-27-2024

Yes friend this issue I analyze it' what is in my mind is that

Service type 6 administrative and privilege 7 not work with each other admin is override the privilege 7' to check add new use with privilege 7 and service type User and check

MHM

asdrewaqf · ‎02-28-2024

Thank you, I'm still checking this issue, and haven't found a solution yet, but I just have a question is what I'm talking about applicable?

I mean have you ever seen this solution?

MHM Cisco World · ‎02-29-2024

You can not add new users with service type user?

MHM