Use ACE/Server RADIUS to control enable access to Cisco Router
3 years ago
Originally Published: 2002-01-10
Article Number
000052384
Applies To
RSA ACE/Server
RADIUS
Cisco Router
Issue
Use ACE/Server RADIUS to control enable access to Cisco Router
Not able to give enable access privileges to users authenticating via RADIUS
Cause
The proper attributes have not been configured in the users profile on ACE/Server
Resolution
On the ACE/Server set the service-type (attribute 6) value in the users profile to login (or administrative-user). With just that setup you get privilege based on login or administrative-user, defined in the profile, of 1 for user or 15 for administrative-user. Adding the 9,1 av-pair allows you to set the permission of the user regardless of what the service-type value is set to, so for example if I have a user profile defined the Service-Type (attribute 6) set to login and 9,1 av-pair set to shell:priv-lvl=15 then the user gets enable privilege.  The service-type must be defined in order for anything to work with aaa auth exec defined in the cisco config.

This configuration would be enabled using this command on the router:

 aaa authorization exec default radius

On the ACE/Server administration interface:
Profile--> Add Profile
Name the profile appropriately
Add the attribute(s):
1. Service-Type
        This attribute can be set to login (Regular User) or administrative-user
2. For further granularity of enable privileges add:
Vendor-Specific
        Set the value to: 9 1 "shell:priv-lvl=15" (the 15 can range from 1 to 15 depending on your router enable privilege config)
Don't see what you're looking for?