Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
824
Views
6
Helpful
20
Replies

Cisco iOS Doesn't Listen to RADIUS Privilege Level in Console

mapguy11
Level 1
Level 1

‎06-06-2024 08:37 AM - edited ‎06-07-2024 05:02 AM

Hi All,

So I have RADIUS with Microsoft NPS successfully working on my IE2000, 3000 switches with the WebUI, and SSH. But when logging into the console the permissions for my own user that gives it privilege level 1 is not followed and allows the user to go into configuration terminal mode. On SSH and the WebUI this doesn't happen and is met with a "Authorization Error" as expected. Here is my configuration as I am quite puzzled why the console wouldn't listen to the privilege level set by NPS rules.

aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius local

ip http server
ip http authentication aaa
ip http secure-server
ip forward-protocol nd

line con 0
stopbits 1

 

 

---Version---

Cisco IOS XE Software, Version 17.06.03
Cisco IOS Software [Bengaluru], IE3x00 Switch Software (IE3x00-UNIVERSALK9-M), Version 17.6.3, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2022 by Cisco Systems, Inc.
Compiled Wed 30-Mar-22 22:21 by mcpre


Cisco IOS-XE software, Copyright (c) 2005-2022 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.


ROM: IOS-XE ROMMON
BOOTLDR: Version 7.1.14 [RELEASE SOFTWARE] crashkernel=64M
switch2-ie3000 uptime is 15 hours, 44 minutes
Uptime for this control processor is 15 hours, 45 minutes
System returned to ROM by Reload Command at 20:14:06 UTC Thu Jun 6 2024
System image file is "flash:ie3x00-universalk9.17.06.03.SPA.bin"
Last reload reason: Reload Command

 

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.


Technology Package License Information:

------------------------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------------
network-essentials Smart License network-essentials
None Subscription Smart License None


Smart Licensing Status: Registration Not Applicable/Not Applicable

cisco IE-3300-8T2S (ARM) processor (revision V06) with 883739K/6147K bytes of memory.
Processor board ID FCW2743Y639
2 Virtual Ethernet interfaces
10 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3952284K bytes of physical memory.
523264K bytes of crashinfo at crashinfo:.
1684480K bytes of Flash at flash:.
3883008K bytes of sdflash at sdflash:.

Labels:
0 Helpful
20 Replies 20

mapguy11
Level 1
Level 1
In response to MHM Cisco World

‎06-07-2024 05:08 AM - edited ‎06-07-2024 05:08 AM

--You can see on the vty lines it enforces the perm level I set but for the console it does not.

*Jun 7 12:07:08.767: AAA/BIND(00000012): Bind i/f
*Jun 7 12:07:16.595: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ciscoview] [Source: 192.168.14.204] [localport: 22] at 12:07:16 UTC Fri Jun 7 2024
*Jun 7 12:07:16.598: AAA/AUTHOR/EXEC(00000012): processing AV priv-lvl=1
*Jun 7 12:07:16.598: AAA/AUTHOR/EXEC(00000012): processing AV service-type=7
*Jun 7 12:07:16.598: AAA/AUTHOR/EXEC(00000012): Authorization successful
*Jun 7 12:07:27.957: AAA/AUTHOR: auth_need : user= 'ciscoview' ruser= 'switch2-ie3000'rem_addr= '192.168.14.204' priv= 0 list= '' AUTHOR-TYPE= 'commands'
*Jun 7 12:07:27.957: AAA: parse name=tty2 idb type=-1 tty=-1
*Jun 7 12:07:27.957: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
*Jun 7 12:07:27.958: AAA/MEMORY: create_user (0x7F45D8E1A8) user='ciscoview' ruser='NULL' ds0=0 port='tty2' rem_addr='192.168.14.204' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
*Jun 7 12:07:27.958: AAA/MEMORY: free_user (0x7F45D8E1A8) user='ciscoview' ruser='NULL' port='tty2' rem_addr='192.168.14.204' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

0 Helpful

MHM Cisco World
VIP
VIP
In response to mapguy11

‎06-07-2024 05:52 AM - edited ‎06-07-2024 05:53 AM

This debug for console or vty?

Share both if you can with 

Debug radius all

MHM

mapguy11
Level 1
Level 1
In response to MHM Cisco World

‎06-07-2024 06:01 AM - edited ‎06-07-2024 06:03 AM

IE3000 Logging in via Console: (The problem child that doesn't listen to the priv I set)

Username: ciscoview
*Jun 7 12:58:40.459: RADIUS/ENCODE(000003DF): ask "Username: "
*Jun 7 12:58:40.459: RADIUS/ENCODE(000003DF): send packet; GET_USER
Password:
*Jun 7 12:58:42.533: RADIUS/ENCODE(000003DF): ask "Password: "
*Jun 7 12:58:42.533: RADIUS/ENCODE(000003DF): send packet; GET_PASSWORD

switch2-ie3000>
*Jun 7 12:58:45.337: RADIUS/ENCODE(000003DF):Orig. component type = Exec
*Jun 7 12:58:45.337: RADIUS/ENCODE(000003DF): Unsupported AAA attribute clid
*Jun 7 12:58:45.337: RADIUS/ENCODE(000003DF): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jun 7 12:58:45.337: RADIUS(000003DF): Config NAS IP: 0.0.0.0
*Jun 7 12:58:45.338: vrfid: [65535] ipv6 tableid : [0]
*Jun 7 12:58:45.338: idb is NULL
*Jun 7 12:58:45.338: RADIUS(000003DF): Config NAS IPv6: ::
*Jun 7 12:58:45.338: RADIUS/ENCODE(000003DF): acct_session_id: 4981
*Jun 7 12:58:45.338: RADIUS(000003DF): sending
*Jun 7 12:58:45.338: RADIUS/ENCODE: Best Local IP-Address 192.168.102.228 for Radius-Server 192.168.102.2
*Jun 7 12:58:45.338: RADIUS(000003DF): Send Access-Request to 192.168.102.2:1812 id 1645/12, len 73
RADIUS: authenticator 9A 0D 43 F7 43 05 81 FC - B1 31 D7 6D 06 E1 5B 64
*Jun 7 12:58:45.338: RADIUS: User-Name [1] 11 "ciscoview"
*Jun 7 12:58:45.338: RADIUS: User-Password [2] 18 *
*Jun 7 12:58:45.339: RADIUS: NAS-Port [5] 6 0
*Jun 7 12:58:45.339: RADIUS: NAS-Port-Id [87] 6 "tty0"
*Jun 7 12:58:45.339: RADIUS: NAS-Port-Type [61] 6 Async [0]
*Jun 7 12:58:45.339: RADIUS: NAS-IP-Address [4] 6 192.168.102.228
*Jun 7 12:58:45.339: RADIUS(000003DF): Sending a IPv4 Radius Packet
*Jun 7 12:58:45.339: RADIUS(000003DF): Started 5 sec timeout
*Jun 7 12:58:45.351: RADIUS: Received from id 1645/12 192.168.102.2:1812, Access-Accept, len 150
RADIUS: authenticator 2E DD C7 C9 13 2C 57 70 - B7 0E BE 94 B4 84 D2 65
*Jun 7 12:58:45.351: RADIUS: Vendor, Cisco [26] 24
*Jun 7 12:58:45.351: RADIUS: Cisco AVpair [1] 18 "shell:priv-lvl=1"
*Jun 7 12:58:45.351: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Jun 7 12:58:45.351: RADIUS: Service-Type [6] 6 NAS Prompt [7]
*Jun 7 12:58:45.352: RADIUS: Class [25] 46
RADIUS: AB 05 09 25 00 00 01 37 00 01 02 00 C0 A8 66 02 00 00 00 00 28 10 D7 A8 0B D3 1E DA 01 DA B8 4A 58 25 28 0A 00 00 00 00 00 00 01 FF [ ?7f(JX?(]
*Jun 7 12:58:45.352: RADIUS: Vendor, Microsoft [26] 12
*Jun 7 12:58:45.352: RADIUS: MS-Link-Util-Thresh[14] 6
RADIUS: 00 00 00 32 [ 2]
*Jun 7 12:58:45.352: RADIUS: Vendor, Microsoft [26] 12
*Jun 7 12:58:45.352: RADIUS: MS-Link-Drop-Time-L[15] 6
RADIUS: 00 00 00 78 [ x]
*Jun 7 12:58:45.352: RADIUS: Vendor, Microsoft [26] 12
*Jun 7 12:58:45.352: RADIUS: MS-MPPE-Enc-Policy [7] 6
RADIUS: 00 00 00 02
*Jun 7 12:58:45.352: RADIUS: Vendor, Microsoft [26] 12
*Jun 7 12:58:45.352: RADIUS: MS-MPPE-Enc-Type [8] 6
RADIUS: 00 00 00 04
*Jun 7 12:58:45.352: RADIUS(000003DF): Received from id 1645/12
*Jun 7 12:58:45.353: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ciscoview] [Source: LOCAL] [localport: 0] at 12:58:45 UTC Fri Jun 7 2024
switch2-ie3000>en
switch2-ie3000#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch2-ie3000(config)#

IE3000 Logging in via SSH/Telnet: (Correctly denied when trying to access en/conf t)

*Jun 7 13:00:54.191: %SYS-5-CONFIG_I: Configured from console by ciscoview on console
*Jun 7 13:00:55.196: %SYS-6-LOGOUT: User ciscoview has exited tty session 0()
*Jun 7 13:01:13.857: RADIUS/ENCODE(000003E0): ask "Password: "
*Jun 7 13:01:13.857: RADIUS/ENCODE(000003E0): send packet; GET_PASSWORD
*Jun 7 13:01:16.911: RADIUS/ENCODE(000003E0):Orig. component type = Exec
*Jun 7 13:01:16.911: RADIUS/ENCODE(000003E0): Unsupported AAA attribute clid
*Jun 7 13:01:16.911: RADIUS/ENCODE(000003E0): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jun 7 13:01:16.911: RADIUS(000003E0): Config NAS IP: 0.0.0.0
*Jun 7 13:01:16.911: vrfid: [65535] ipv6 tableid : [0]
*Jun 7 13:01:16.911: idb is NULL
*Jun 7 13:01:16.911: RADIUS(000003E0): Config NAS IPv6: ::
*Jun 7 13:01:16.911: RADIUS/ENCODE(000003E0): acct_session_id: 4982
*Jun 7 13:01:16.911: RADIUS(000003E0): sending
*Jun 7 13:01:16.911: RADIUS/ENCODE: Best Local IP-Address 192.168.102.228 for Radius-Server 192.168.102.2
*Jun 7 13:01:16.912: RADIUS(000003E0): Send Access-Request to 192.168.102.2:1812 id 1645/13, len 73
RADIUS: authenticator 59 EC F5 9A 74 29 8D 28 - AC 1B AC 43 97 BB 2B 8F
*Jun 7 13:01:16.912: RADIUS: User-Name [1] 11 "ciscoview"
*Jun 7 13:01:16.912: RADIUS: User-Password [2] 18 *
*Jun 7 13:01:16.912: RADIUS: NAS-Port [5] 6 3
*Jun 7 13:01:16.912: RADIUS: NAS-Port-Id [87] 6 "tty3"
*Jun 7 13:01:16.912: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jun 7 13:01:16.912: RADIUS: NAS-IP-Address [4] 6 192.168.102.228
*Jun 7 13:01:16.912: RADIUS(000003E0): Sending a IPv4 Radius Packet
*Jun 7 13:01:16.912: RADIUS(000003E0): Started 5 sec timeout
*Jun 7 13:01:16.926: RADIUS: Received from id 1645/13 192.168.102.2:1812, Access-Accept, len 150
RADIUS: authenticator 94 4C 4F 92 3E 6B 2C 34 - C2 34 03 93 09 34 E0 2E
*Jun 7 13:01:16.926: RADIUS: Vendor, Cisco [26] 24
*Jun 7 13:01:16.926: RADIUS: Cisco AVpair [1] 18 "shell:priv-lvl=1"
*Jun 7 13:01:16.926: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Jun 7 13:01:16.926: RADIUS: Service-Type [6] 6 NAS Prompt [7]
*Jun 7 13:01:16.926: RADIUS: Class [25] 46
RADIUS: AA 08 08 27 00 00 01 37 00 01 02 00 C0 A8 66 02 00 00 00 00 28 10 D7 A8 0B D3 1E DA 01 DA B8 4A 58 25 28 0A 00 00 00 00 00 00 02 00 [ '7f(JX?(]
*Jun 7 13:01:16.926: RADIUS: Vendor, Microsoft [26] 12
*Jun 7 13:01:16.926: RADIUS: MS-Link-Util-Thresh[14] 6
RADIUS: 00 00 00 32 [ 2]
*Jun 7 13:01:16.926: RADIUS: Vendor, Microsoft [26] 12
*Jun 7 13:01:16.927: RADIUS: MS-Link-Drop-Time-L[15] 6
RADIUS: 00 00 00 78 [ x]
*Jun 7 13:01:16.927: RADIUS: Vendor, Microsoft [26] 12
*Jun 7 13:01:16.927: RADIUS: MS-MPPE-Enc-Policy [7] 6
RADIUS: 00 00 00 02
*Jun 7 13:01:16.927: RADIUS: Vendor, Microsoft [26] 12
*Jun 7 13:01:16.927: RADIUS: MS-MPPE-Enc-Type [8] 6
RADIUS: 00 00 00 04
*Jun 7 13:01:16.927: RADIUS(000003E0): Received from id 1645/13
*Jun 7 13:01:16.928: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ciscoview] [Source: 192.168.14.204] [localport: 22] at 13:01:16 UTC Fri Jun 7 2024

switch2-ie3000>en

% Error in authentication.

^ What is supposed to happen when I log in via console.

Richard Burts
Hall of Fame
Hall of Fame
In response to mapguy11

‎06-07-2024 03:27 PM

As I explained in my previous post, it is not an issue with your Radius server, but is an issue with your Cisco switch. By default the Cisco switch does not do authorization on the console. As mentioned in a post by MHM it is because it is easy to lock yourself out of access to a device if your configuration of authorization on the console (I speak as one who has done this). 

If you want authorization to work on the console take another look at the post by BB who shows the commands for this.

HTH

Rick
0 Helpful

paul driver
VIP
VIP

‎06-07-2024 01:15 AM

FYI

aaa authentication login default group radius local
aaa authorization console
aaa authorization exec default group radius local if-authenticated


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mapguy11
Level 1
Level 1
In response to paul driver

‎06-07-2024 05:09 AM - edited ‎06-07-2024 05:21 AM

Surprisingly that doesn't change anything I am leaning towards a bug in the system. But I am still unsure, and I have to be missing something!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card