Privilege levels on IOS - Radius

Charchiclofner · ‎03-31-2018

Hi,

I'm trying to add Radius authentication and authorisation on an IOS router.

Authentication works fine but having problems with authorisation. I think the issue is the radius server I'm using but hoping someone might confirm and suggest if there is another way around my "problem" before I configure a new server.

The requirement is pretty straight-forward at this stage. I want all user logins to be authenticated by the radius server and enter at privelege level 15 (don't panic, it's a test lab environment..)

The config is:

aaa new-model
aaa authentication login default group radius local

aaa authorization exec default group radius local

I've also tried

aaa authorization exec default group radius if-authenticated

Now, I've been reading and I have seen this which has highlighted the concept of 'AV-Pairs' that I was not previously aware of. Doesn't look like this is supported by my Radius server. All it has is a space to add clients by IP and a space to add users and give both a name and password.

So I think that's my problem and I just need to configure a more capable Radius server.

I am surprised that the 'if-authenticated' keyword didn't help, though. If I configure

aaa authorization exec default local

then local users get privilege 15 on login, as expected.

gs.skills · ‎03-31-2018

Hello,

if the group radius method is listed and the radius server is reachable, the method if-authenticated will never be used and the authorization rejected because of the AVpair.

Try to modify your line:

aaa authorization exec default ~~group radius~~ if-authenticated

Regards, Guillaume