Users created in an AAA server are given the lowest level of access, Level 1, by default. With this privilege level, users can access read-only information pages from the Access Point (AP) user interface. Options that require read-write access pages prompt you for Level 15 access.
In order to disable the Level 15 Username and Password prompt, configure the group or user settings on the Cisco Secure ACS for Windows server to grant Level 15 access the first time the user logs in.
In order to provide Level 15 access to users for admin authentication, issue the shell:priv-lvl=15 command under Cisco IOS /PIX Firewall RADIUS Attributes. You can configure Cisco IOS/PIX RADIUS Attributes under the Group Setup section for the user group on the AAA server.
Similarly we can use the same informaiton on Cisco IOS routers as well. Here is the Configuration Example :-
The with default keyword authorization will get applied on all the lines i.e. CONSOLE, VTY, AUX. In case you want it for users who are trying to login to via ssh or telnet use the following:
router(config)#aaa authorization exec Cisco group radius local router(config)#line vty 0 15 router(config-line)#authorization exec Cisco
On Cisco Secure ACS:-
Checkuser & group for cisco av-pair.
User setup à cisco ios/pix 6.x radius attributes àcisco av-pair [ shell:priv-lvl=15]
Group setup à ios/pix 6.x radius attributes à shell:priv-lvl=15
In case of radius if exec authorization is enabledand if have not specified any privilege level in the ACS server. Then user will fall under the privilege level 1 and if enable authentication is enabledor enable password is definedon the router then we can go to enable mode by typing en or en <priv-lvl>
Hiwe have three offices all running with their own 5508's. I plan on replacing those WLC's with newer ones. Is there a design were I can replace they with a pair in our CoLo data center and have all the AP's talk back to them? I used to do this with HREAP...
Hi,We have 5520 wlc and we are using RTU license.Currently we are using 100 license and trying to add some more licenses , while trying add more license getting an error like "licenses cannot added/removed on secondary HA /SKU cont...
Hello,I have a AIR-AP1852I-E-K9 set up as a Primary Controller and I'm having trouble connecting the other AP which is an AIr-AP1832I-E-K9 to the network. I can't see the other AP in Rogue APs or anywhere else.Both of them have Mobility Express insta...
Hello i have acces point 1130AG and i want to configure " Security: Global SSID Manager" but i can't save cpnfigure from interface web ap .. so i can allow AP accept paramter " Security: Global SSID Manager" that i can se...