AAA Radius Privilege levels

saddayzsaddayz Member Posts: 29 ■□□□□□□□□□

I've setup a Windows 2012 Server R2 Radius server to commmunicate with CISCO IOS devices.

There are two categories of users: with just read only rights(shell:priv-lvl=1), and read/write (shell:priv-lvl=15).

The Router configuration on GNS3 is straightforward:

aaa authentication login VTY group RAD1 local
aaa authorization exec AUTH_VTY group RAD1 local if-authenticated

line vty 0 20
login authentication VTY
authorization exec AUTH_VTY

So, my goal is to read only users allow to just read, to read/write users allow to do all.

but the situation is different. Users with (shell:priv-lvl=15) gets into privileged mode as it should.
And users with (shell:priv-lvl=1) goes to operational mode (>) and after typing "enable" they goes into priviledge mode.

Is this a normal behaviour with Priviledge 1 - to be able to get to enable ? Maybe my problem is just to create the enable password, which is unknown for users with priviledge lvl 1 ?

Also the second question:

Do the if-authenticated command is needed ? could not figure point of that.

Sign In or Register to comment.