Authorization while using Microsoft IAS as a RADIUS server does not seem to work with the 5500G-EI switches we are using.
The VSA for determining privilege levels (01060000000X with X representing privilege levels 0 through 3) and is set on my RADIUS server (Microsoft IAS) ... I see in the logs that it's passing this attribute back to the switch. However, no matter what I set this value to I am always at privilege level 1 when I authenticate against the RADIUS server.
Here is a copy of the relevant parts of the configuration:
radius nas-ip <Source IP Address>
radius scheme system
radius scheme adminauth
server-type standard
primary authentication <Primary RADIUS Auth Server IP>
secondary authentication <Secondary RADIUS Auth Server IP>
accounting optional
key authentication <Authentication Key>
user-name-format without-domain
nas-ip <Source IP Address>
domain system
domain test
scheme radius-scheme adminauth
user-interface aux 0 7
authentication-mode scheme
user-interface vty 0 4
authentication-mode scheme
Authentication itself works fine, so I see two possibilities here: a) The VSA used (and works for the 4400 series switches and supposedly works for some 5500 family switches as outlined in one 3Com document) is wrong and it uses something different. or b) the VSA is correct and there is a setting i'm missing which is causing the switch to ignore it.
Under the user-interface section, I also tried authentication-mode scheme command-authorization which did not work.
Does anyone have any insight?
The VSA for determining privilege levels (01060000000X with X representing privilege levels 0 through 3) and is set on my RADIUS server (Microsoft IAS) ... I see in the logs that it's passing this attribute back to the switch. However, no matter what I set this value to I am always at privilege level 1 when I authenticate against the RADIUS server.
Here is a copy of the relevant parts of the configuration:
radius nas-ip <Source IP Address>
radius scheme system
radius scheme adminauth
server-type standard
primary authentication <Primary RADIUS Auth Server IP>
secondary authentication <Secondary RADIUS Auth Server IP>
accounting optional
key authentication <Authentication Key>
user-name-format without-domain
nas-ip <Source IP Address>
domain system
domain test
scheme radius-scheme adminauth
user-interface aux 0 7
authentication-mode scheme
user-interface vty 0 4
authentication-mode scheme
Authentication itself works fine, so I see two possibilities here: a) The VSA used (and works for the 4400 series switches and supposedly works for some 5500 family switches as outlined in one 3Com document) is wrong and it uses something different. or b) the VSA is correct and there is a setting i'm missing which is causing the switch to ignore it.
Under the user-interface section, I also tried authentication-mode scheme command-authorization which did not work.
Does anyone have any insight?