Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
45772
Views
0
Helpful
0
Comments

How to disable the Level 15 Username and Password prompt when the user opens options in the Access Point GUI

TCC_2
Level 10
Level 10

‎06-22-2009 05:34 PM - edited ‎11-18-2020 02:40 AM

Core Issue

Users created in an AAA server are given the lowest level of access, Level 1, by default. With this privilege level, users can access read-only information pages from the Access Point (AP) user interface. Options that require read-write access pages prompt you for Level 15 access.

Resolution

In order to disable the Level 15 Username and Password prompt, configure the group or user settings on the Cisco Secure ACS for Windows server to grant Level 15 access the first time the user logs in.

In order to provide Level 15 access to users for admin authentication, issue the shell:priv-lvl=15 command under Cisco IOS /PIX Firewall RADIUS Attributes. You can configure Cisco IOS/PIX RADIUS Attributes under the Group Setup section for the user group on the AAA server.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Similarly we can use the same informaiton on Cisco IOS routers as well. Here is the Configuration Example :-

The with default keyword authorization will get applied on all the lines i.e.  CONSOLE,  VTY, AUX. In  case you want it for users who are trying to login to via ssh or telnet use the  following:

EXEC  AUTHORIZATION

Router

router(config)#aaa  authorization exec Cisco group radius local
router(config)#line vty 0  15
router(config-line)#authorization exec Cisco

On Cisco Secure ACS:-

Interface  configuration

Check  user & group for cisco  av-pair.

User  setup à cisco ios/pix 6.x radius attributes àcisco av-pair [  shell:priv-lvl=15]

OR

Group  setup à ios/pix 6.x radius attributes à shell:priv-lvl=15

In case of radius  if exec authorization is enabled  and if  have not specified any privilege level in the ACS server. Then user will fall  under the privilege level 1 and if enable authentication is enabled  or enable password is defined  on the router then we can go to enable mode  by typing en or en <priv-lvl>

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

For more information, refer to User Group Management.

User group management:-

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/g.html

Interface configuration:-

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/i.html

Problem Type

Configure / Configuration issues

Products

Access point

Security Options

ACS

Client OS Type

Windows

Product OS

IOS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents