[c-nsp] c3560, priv-lvl=15, authorization level problem
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Thu Apr 2 12:30:18 EDT 2009
Hegedus Gabor <> wrote on Thursday, April 02, 2009 10:37:
> Hi all!
>
> I have a problem:
>
> I want use aaa authentication with radius in c3560, I try to
> authenticate my user to the priv level 15.
> The authentication is succes, but the user is just on the level 1.
>
> radius send back the priv-lvl=15, I can see in the radius debug.
>
> the configurations of the radius and the switch are correct, because
> I have c2960 with the same configuration, and the priv-level 15
> authentication works on it.
>
> here is my config sample:
>
> aaa authentication login method_line group rad_group local
> aaa authorization exec method_line if-authenticated group rad_group
why do you use if-authenticated before radius? if-authenticated method
succeeds if the user is authenticated, so it doesn't even bother
checking radius attributes for authorization information. Please try
aaa authorization exec method_line group rad_group if-authenticated
or
aaa authorization exec method_line group rad_group local
whatever fallback method you want to use..
oli
More information about the cisco-nsp
mailing list