Users created in an AAA server are given the lowest level of access, Level 1, by default. With this privilege level, users can access read-only information pages from the Access Point (AP) user interface. Options that require read-write access pages prompt you for Level 15 access.
In order to disable the Level 15 Username and Password prompt, configure the group or user settings on the Cisco Secure ACS for Windows server to grant Level 15 access the first time the user logs in.
In order to provide Level 15 access to users for admin authentication, issue the shell:priv-lvl=15 command under Cisco IOS /PIX Firewall RADIUS Attributes. You can configure Cisco IOS/PIX RADIUS Attributes under the Group Setup section for the user group on the AAA server.
Similarly we can use the same informaiton on Cisco IOS routers as well. Here is the Configuration Example :-
The with default keyword authorization will get applied on all the lines i.e. CONSOLE, VTY, AUX. In case you want it for users who are trying to login to via ssh or telnet use the following:
router(config)#aaa authorization exec Cisco group radius local router(config)#line vty 0 15 router(config-line)#authorization exec Cisco
On Cisco Secure ACS:-
Checkuser & group for cisco av-pair.
User setup à cisco ios/pix 6.x radius attributes àcisco av-pair [ shell:priv-lvl=15]
Group setup à ios/pix 6.x radius attributes à shell:priv-lvl=15
In case of radius if exec authorization is enabledand if have not specified any privilege level in the ACS server. Then user will fall under the privilege level 1 and if enable authentication is enabledor enable password is definedon the router then we can go to enable mode by typing en or en <priv-lvl>
We have a single 2702I-B series AP that is unable to join our 9800-80 WLC. The other 100+ APs at the same site, same IP space, and same model were able to join no problem. For the AP with the issue, we do see a Join attempt, but the 9800 simpl...
Hi, aironet 2702 AP (autonomous mode) is it possible to use it as wireless repeater for all wireless networks, or only the compatible cisco root wlan's? I have a 9120axe with EWC configured and i want to use 2702 as wireless repeater. Thanks for...
Hello all,I am a pretty novice when it comes to wireless. I am doing some health checks for a customers wireless and I am a little confused on the firmware. They have a mix of CAP1620I and AP1815I access points in their environment. On the 1620s, I see th...
Hi All, I'm currently planning a migration from a Cisco 5508 WLC with 3700/3800 access points to a Cisco 9800 WLC with 9100 series access points. Due to various requirements and constraints, the customer does not want to change the SSID names, authen...
Could it be that MIC certificate expiration could break a mesh network ?
A mesh network with older APs has been running fine but then just stops working when the APs were power cycled.
We have applied the "config ap c...