Link to home
Create AccountLog in
Avatar of routeswitch
routeswitch

asked on

Cisco AAA Authorization fails

I have the following AAA config - to allow a group of network administrators get access to cisco devices using their AD credentials.
I have set up 2 RADIUS servers on Windows 2008 NPS>
I have a test router 1841 that is working just fine, the users type their creds into the login prompt and it throws them straight into enable mode. We do not want users to have to spend time typing enable secret passwords... hence the authorization issue i am running into on a cisco 4000 series switch running 12.2.25 Sup V 10GE

The commands i had taken from the router that worked perfectly and applied them to the switch

nyc1-idf-03#sh run | incl aaa
aaa new-model
aaa group server radius radius-group1
aaa authentication banner ^C
aaa authentication login radius-vty group radius-group1 local
aaa authentication login radius-con group radius-group1 local
aaa authentication login aux none
aaa authentication enable default group radius-group1 enable
aaa authorization console
aaa authorization exec radius-vty group radius-group1 local
aaa authorization exec radius-con group radius-group1 local
aaa accounting exec radius-vty start-stop group radius-group1
aaa accounting exec radius-con start-stop group radius-group1
aaa session-id common

nyc1-idf-03#sh run | inc radius
aaa group server radius radius-group1
aaa authentication login radius-vty group radius-group1 local
aaa authentication login radius-con group radius-group1 local
aaa authentication enable default group radius-group1 enable
aaa authorization exec radius-vty group radius-group1 local
aaa authorization exec radius-con group radius-group1 local
aaa accounting exec radius-vty start-stop group radius-group1
aaa accounting exec radius-con start-stop group radius-group1
ip radius source-interface Loopback0
radius-server host 10.17.240.245 auth-port 1645 acct-port 1646 key 7 121A5404115B5D5679
radius-server host 10.20.240.65 auth-port 1645 acct-port 1646 key 7 104D580A064743595F
radius-server source-ports 1645-1646
radius-server retransmit 1
radius-server timeout 2

!
line con 0
authorization exec radius-con
login authentication radius-con
!
line vty 0 4
authorization exec radius-vty
 login authentication radius-vty
line vty 5 15
 authorization exec radius-vty
 login authentication radius-vty
nyc1-idf-03#

This similar config (the auth/acct ports on the router were 1812 & 1813 - thats the only difference) - worked perfect.

Can anyone explain/provide insight into why this switch seems to authenticate me - but not authorize me.
When i removed the authorization commands - it allowed me to authenticate - but only to
the switch> mode - and not switch# mode (enable)


please can someone help me here!

THanks
Avatar of routeswitch
routeswitch

ASKER

FULL CONFIG FILE + DEBUG FOR AUTHORIZATION AT THE END


Thanks again. nyc03.txt
ASKER CERTIFIED SOLUTION
Avatar of norgetek
norgetek
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
"shell:priv-lvl=15"

as i said - it works perfectly for the 1841 - but for some strange reason, its not doing so for the switch! i dont think its an IOS issue.

i guess what i could ask is - is there a simpler config that would allow me to use RADIUS and get thrown into enable mode?

Can you do a debug on the router?  I would think we should see the attribute(s) being sent back in the debug.