Cisco + FreeRADIUS: Exec 15 level privilege mode

aaaauthenticationciscoradiustroubleshooting

I have two routers: Cisco ISR 2921 with IOS version 15.0(1r)M9 and a Cisco C2600 which is an old guy with IOS 12.0(7)XK1.

I have this set up on a FreeRADIUS server:

router-admin   MD5-Password := "<MD5-Digested-Password>"
               Service-Type = NAS-Prompt-User,
               Cisco-AVPair += "shell:priv-lvl=15"

I have set up the following config on both of the routers:

aaa new-model
aaa authentication login default group radius local

The ISR 2921, when you authenticate, gives you 15th level of privilege (# shell) at once, but the C2600 gives a user mode (> shell). Why would this happen? Maybe the IOS doesn't support that option yet or do I have to do some additional configuration?

Update:

Actually one more thing that's different is C2600 runs telnet (because it doesn't support SSH) and 2921 runs SSH.

VTY section from 2921:

line vty 0 4
 access-class 50 in
 exec-timeout 5 0
 logging synchronous
 length 0
 transport input ssh
line vty 5 30
 access-class 50 in
 exec-timeout 5 0
 logging synchronous
 transport input ssh
!

AAA section from 2921:

aaa new-model
aaa authentication login default group radius local
aaa authentication login IPSEC-USERS group radius
aaa authorization exec default group radius local
aaa authorization network IPSEC-USERS group radius
aaa accounting delay-start
aaa accounting update periodic 10
aaa accounting exec default
 group radius
aaa accounting network IPSEC-USERS
 group radius
aaa accounting system default
 group radius
aaa session-id unique
radius-server host 192.168.5.55 auth-port 1812 acct-port 1813
radius-server key 7 <KEY>

VTY section from C2600:

line vty 0 4
 password 7 <pw>
!

AAA section from C2600:

aaa new-model
aaa authentication login default group radius local
aaa authorization network default group radius local
aaa accounting exec default start-stop group radius
aaa accounting commands 15 default stop-only group radius
aaa accounting network default start-stop group radius
aaa accounting system default start-stop group radius

Best Answer

It seems that this line is missing from the c2600...

aaa authorization exec default group radius local

Exec authorization is what gives a login session the ability to pay attention to priv information from the RADIUS server.

Related Topic