cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
28724
Views
5
Helpful
10
Replies

Setting privilege level on vty lines

SlipperyPete
Level 1
Level 1

We've been setting privilege levels on the vty lines, like this:

line vty 0 4

privilege level 15

login authentication [Radius]

transport input ssh

But then we started playing around with our Radius configuration to see if Radius would convey the privilege level for different users and we took the privilege level command off the vty lines. Once we did that, we found that any incoming vty users are logged in in regular user exec mode, regardless of the Radius settings, and even when users would log in using a local user account with privilege level 15, they would still get logged in in user exec mode. So, for example, we would have a local user account defined:

username mbrown privilege 15 password xxxxxxx

and our we'd configure our vty lines like this:

line vty 0 4

login authentication default

transport input ssh

and the user (mbrown) would get logged in in user exec mode, even though we specified privilege level 15 on his account.

Has anyone else encountered this behavior?

Thanks.

10 Replies 10

Richard Burts
Hall of Fame
Hall of Fame

Patrick

I believe that you are seeing a normal behavior and not something abnormal. You have not provided much detail of how the routers are configured for aaa authentication. But it appears from your description that you are expecting some users to authenticate via Radius and some users to authenticate via local authentication. While it is not impossible to do this, it is quite unusual. The normal operation is that all users authenticate via Radius (and of course you can have local authentication as a backup if the Radius server is not available) or all users authenticate via local.

Is the username mbrown also a user configured in Radius? I would guess that while it may be a local account that could be used if the Radius server is not available, that the user is normally being authenticated by Radius. One way to check on this would be to turn on debug aaa authentication and have the user login. The debug should indicate whether it went to Radius or whether it did local authentication.

HTH

Rick

HTH

Rick

Rick,

Thanks for the feedback. Here is all of our authentication configurations, including our Radius config and a local account configured for backup in case Radius fails. The local account is not in Radius, it is only configured on the switch:

aaa new-model

aaa authentication login RadiusAuth group radius local

enable secret 5 xxxxxxxxx

!

username backup_account privilege 15 password 0 xxxxxxxx

!

ip radius source-interface Vlan1

radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key xxxxxxxx

radius-server retransmit 3

line vty 0 4

privilege level 15

login authentication RadiusAuth

transport input ssh

What we find is that if we disable Radius and set the local user account to have a lower privilege level, the user is still logged in in privileged exec mode (Switch#). On the other hand, if we remove the privilege config from the vty lines, then everyone who logs in is set at regular user exec mode (Switch>), regardless of what is configured on Radius or (if Radius is disabled) what privilege level is set on the local user account. So it seems that the privilege setting on the vty lines supersedes any other settings. How can we configure it so that the switch or router determines the user's privilege level based on the Radius login or on the local account, as opposed to what is configured on the vty lines?

Patrick

It is normal behavior of IOS that if you configure the vty with privilege level 15 that any remote access will be logged in using privilege level access and not user level. The configured privilege level on the vty over-rides any privilege level from Radius or from local authentication. So what you are seeing with the privilege level on the vty is normal behavior.

If you remove the privilege level 15 from the vty then the behavior should change. When authenticating with Radius I would expect all remote access to be logged in using user mode. The only thing that you are asking Radius to do is to authenticate the user. Assigning privilege level generally requires authorization.

I would expect that when you disable Radius and use the local user ID that the user should be put into privilege mode is the local user ID specifies privilege level of 15.

HTH

Rick

HTH

Rick

Rick,

What you said in that last line is the crux of the matter, and I've tested this multiple times and always get the same result. I remove the privilege level setting from the vty lines, disable Radius, then log in using the local user account (with privilege level 15), and it logs me in in user exec mode, apparently disregarding the privilege level setting on the local account. It seems that by NOT specifying a privilege level on the vty line, the IOS ignores any local account settings and sets all incoming vty users at user exec mode. This also happens when Radius is enabled - all incoming vty users are set at user exec mode.

Pat

greg.washburn
Level 1
Level 1

I think I understand what you are saying and while I don't know the specifics of the implementation it has to do with not having additional commands probably.

Something like "aaa authorization exec" and/or "aaa authorization commands 15".

I hope this is enough info that either you can take this to the next level or someone more experienced can give a specific example of how these or other similar commands allow local users (or raidus user for that matter) the ability to not have to enter the enable/secret password if they specifically have priv 15 level accounts.

Patrick

Greg is on the right track. You need an aaa authorization exec command (and I advise you to stay away from the aaa authorization commands 15). I set up a test and verified it. The details might vary a little depending on your individual environment, but I would suggest that you do something that looks a bit like this:

aaa authorization exec vty_author group radius local

line vty 0 4

authorization exec vty_author

My test environment has TACACS rather than Radius. But I believe that what I have given should work with Radius ok.

HTH

Rick

HTH

Rick

Patrick if you use Rick's suggested example please post back to forum if it works as anticipated.

When I tried this specific example in a 2008 NPS radius lab I was able to get straight to priv mode for local accounts but all radius authentication attempts started failing and I had to back it out.

Patrick if you use Rick's suggested example please post back to forum if it works as anticipated.

When I tried this specific example in a 2008 NPS radius lab I was able to get straight to priv mode for local accounts but all radius authentication attempts started failing and I had to back it out.

It worked!

The config (including our local account) now looks like this:

username local_backup privilege 15 password 7 xxxxxxxxxxxxxxx

aaa authentication login RadiusAuth

group radius local

aaa authorization exec RadiusAuth group radius local

line vty 0 4

authorization exec RadiusAuth

login authentication RadiusAuth

I tried removing "authentication login" configs, since it seems redundant, but it only works with both the authorization and authentication configs.

Interestingly, the backup local user account now works as it should (logs in in privilege mode), even though you'd think it wouldn't be affected by aaa Radius configs.

FYI - I'm testing using a 3750 switch with Radius running on MS/IAS.

Thanks very much for the help. It's a big relief to figure this one out.

Pat

Pat

I am glad that you got it worked out and that my suggestions were helpful. Thanks for posting back to the thread and indicating that you had solved it and how you solved it. It makes the forum more useful when people can read about a problem and can read how the problem was solved.

HTH

Rick

HTH

Rick
Review Cisco Networking for a $25 gift card