AAA Radius Privilege levels

saddayzsaddayz Member Posts: 29 ■□□□□□□□□□
Hello,


I've setup a Windows 2012 Server R2 Radius server to commmunicate with CISCO IOS devices.


There are two categories of users: with just read only rights(shell:priv-lvl=1), and read/write (shell:priv-lvl=15).


The Router configuration on GNS3 is straightforward:






aaa authentication login VTY group RAD1 local
aaa authorization exec AUTH_VTY group RAD1 local if-authenticated


line vty 0 20
login authentication VTY
authorization exec AUTH_VTY




So, my goal is to read only users allow to just read, to read/write users allow to do all.


but the situation is different. Users with (shell:priv-lvl=15) gets into privileged mode as it should.
And users with (shell:priv-lvl=1) goes to operational mode (>) and after typing "enable" they goes into priviledge mode.


Is this a normal behaviour with Priviledge 1 - to be able to get to enable ? Maybe my problem is just to create the enable password, which is unknown for users with priviledge lvl 1 ?




Also the second question:


Do the if-authenticated command is needed ? could not figure point of that.


Thanks
Sign In or Register to comment.