AAA Authentication working but users not getting priv exec mode

[GSWillis]

Hi,

I'm configuring AAA on some 3560 switches. They are using Radius authentication to an IAS server. I can get the users to authenticate but they aren't being put strait into privilege exec mode like they should be.

Below is the AAA config:

aaa new-model
aaa authentication login default group radius enable
aaa authorization exec default group radius none
!
aaa session-id common

radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key 7 xxxxxxx

The same config works fine on a 1800 series router, any ideas??

Thanks,

Gareth

 

[burtsbees]

So in other words they have to enter an enable password, and just get to
switch>
upon authentication?

Burt

 

[GSWillis]

Yes thats correct it should let them into enable mode it's working on my other devices but these are the first 3560's I've tried to set it up on.

 

[GSWillis]

No Sorry I just read your post again they get the

switch> prompt but have to enable to get to the

switch# prompt and they shouldnt have to.

 

[BuckWeet]

Someone correct me if I'm wrong, but I thought radius doesn't do privilege levels? Meaning that you would always login with exec mode and have to 'enable' into privilege mode.

I haven't used radius in probably 5 years, I'm rusty!!

 

[GSWillis]

The Authorization part of the config should put the user strait into privilege mode but it doesnt seem to be having any effect.

 

[burtsbees]

I am rusty myself...I thought so too, buckweet...

is this line the same on the ones that do work?

aaa authorization exec default group radius none

Can you change this to

aaa authorization exec default group radius if-auth

and see if that helps?

 

[GSWillis]

Yes the line is the same in the other configs and works ok, I tested your suggestion but it is still the same. Very strange thanks for your help though.

 

[ADB100]

I have some 3560's & 3750's and my config looks like this:

aaa group server radius Radius-Servers
 server 10.1.1.1 auth-port 1812 acct-port 1813
 server 10.1.2.1 auth-port 1812 acct-port 1813
 ip radius source-interface Loopback0
!
aaa authentication login default group Radius-Servers local line
aaa authentication enable default group Radius-Servers enable
aaa authentication dot1x default group Radius-Servers
aaa authorization console
aaa authorization exec default group Radius-Servers if-authenticated 
aaa authorization network default group Radius-Servers 
aaa authorization auth-proxy default group Radius-Servers 
aaa accounting dot1x default start-stop group Radius-Servers
aaa accounting exec default start-stop group Radius-Servers
aaa accounting network default start-stop group Radius-Servers
aaa accounting system default start-stop group Radius-Servers
!
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req format %h
radius-server attribute 32 include-in-accounting-req format %h
radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key cisco
radius-server host 10.1.2.1 auth-port 1812 acct-port 1813 key cisco
radius-server vsa send authentication

It's been a while since I set this up but my 'shellriv-lvl=15' is working with this configuration. I have probalby included too much config there, however that's all there is...

HTH

Andy

 

[vipergg]

You can run a debug against AAA and see if it tells you anything or doa debug against a working one and then against the non working one and see if you can spot anything in the debugs between the 2.

 

[GSWillis]

Thanks for the replies everyone. In the end it started working with the same config I posted before.

Re-booting the switches seemed to fix the issue. I guess I should have just done that first.