Solved: Re: 9800-cl login with radius - shell:priv-lvl=15

robbyde0100 · ‎01-08-2024

Hello,

I've setup radius for admins to logon to our 9800 (with ISE) but when I logon to the web admin portal I cant see any admin options. Just Monitoring and Dashboard.

CLI seems fine.

This is whats setup on the 9800:

aaa new-model
aaa group server radius ISE
server name ise-1
server name ise-2
aaa authentication login default local
aaa authentication login radius-authe-method group ISE local
aaa authentication dot1x ISE group ISE
aaa authorization exec default local
aaa authorization exec radius-autho-method group ISE

radius server ise-1
address ipv4 10.52.7.106 auth-port 1812 acct-port 1813
key password
!
radius server ise-2
address ipv4 10.52.7.104 auth-port 1812 acct-port 1813
key password

line con 0
logging synchronous
stopbits 1
line vty 0 4
authorization exec radius-autho-method
login authentication radius-authe-method
transport input ssh
line vty 5 15
authorization exec radius-autho-method
login authentication radius-authe-method
transport input ssh
line vty 16 50
transport input ssh

ip http authentication aaa login-authentication radius-authe-method
ip http authentication aaa exec-authorization radius-autho-method

ISE has this on the profile:

Access Type = ACCESS_ACCEPT
cisco-av-pair = shell:priv-lvl=15

robbyde0100 · ‎01-09-2024

Hi All,

Its fixed!!

So in ISE there are two options that look the same:

This one doesnt work (guest should have given it away):

This one does work:

View solution in original post

Ruben Cocheno · ‎01-08-2024

@robbyde0100

That config looks ok to me, do you want to try to remove the following lines? you have already VTY covered so shouldn't be a problem.

aaa authentication login default local
aaa authorization exec default local

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

robbyde0100 · ‎01-08-2024

Thanks for getting back to me, I did

no aaa authentication login default local
no aaa authorization exec default local

Then logged on but had the same

.

I do see this on the console:

MHM Cisco World · ‎01-08-2024

show user
check the user appear in which VTY line

also can you confirm that that you access WLC via ISE user or access WLC via Local user
I know it hard if you use same username in both ISE and local but you can add privilege 15 to local username and hence you can full access to WLC if you use ISE or local.
MHM

MHM Cisco World · ‎01-08-2024

aaa authorization exec radius-autho-method group ISE LOCAL

you need also to add LOCAL to end of authz

MHM

robbyde0100 · ‎01-08-2024

Hi,

Thanks for the help.

I cant logon with the local 9800 admin account anymore.

Show users shows

9800#sh users
Line User Host(s) Idle Location
* 1 vty 0 robd idle 00:00:00 laptop.domain.com

I'm using domain auth so using my domain admin to logon to ise which is ok, shows a successful auth in ISE.

Is there config missing here for http:

line vty 0 4
 authorization exec radius-autho-method
 login authentication radius-authe-method
 transport input ssh

MHM Cisco World · ‎01-08-2024

I dislike deal with authc and authz of Cisco
so you still can access to WLC ? via VTY SSH ?
MHM

robbyde0100 · ‎01-08-2024

I can logon via ssh with my domain account and get to config.

Just the web gui that doesn't work. I could log a tac.

MHM Cisco World · ‎01-08-2024

debug radius

can you check by debug if radius return the AV priv 15 or not ?
MHM

marce1000 · ‎01-08-2024

- Not related to your original post but regarding to the console message :
%SYS-5-CONFIG_P: Configured programmatically by process SE_webui_wsma_http from console as ...

Take care and note : https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-cmdij-FzZAeXAy
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe12578

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

robbyde0100 · ‎01-09-2024

Hi All,

Its fixed!!

So in ISE there are two options that look the same:

This one doesnt work (guest should have given it away):

This one does work:

MHM Cisco World · ‎01-09-2024

thanks a lot for update us
glad the issue solved
have a nice day
MHM

robbyde0100 · ‎01-09-2024

Thanks for all your help, really appreciate it.