However, there are a couple of things you can try if you are locked out/ stuck at enable the lower access mode.įirst option, (depending on how close your config is to working) you could create a new user in radius with Service-Type = “Administrative-User” and Cisco-AVPair = "shell:priv-lvl=15" (if you use DaloRadius these will need to be “reply”). Sometimes setting the Priv level on the Cisco and using “aaa authorization exec default group radius local” will generate an “Auth reject” message on the (cisco side login) screen when you attempt to login to the Cisco. From the Cisco side “debug radius” will potentially provide useful info (“no debug all” will turn off debugging on the Cisco).įirstly, you don’t need the priv level defined on the vty lines on the switch config. On your Radius server it is good to issue “freeradius –X” and then you will be able to watch the process take place as the connection happens. Service-Type = “Administrative-User” = reply ( The “reply” choice will be necessary if using something like daloRadius as it will ask you to choose and the other option of “check” wont work) Radius-server host 10.**.**.** auth-port 1812 acct-port 1813 key SharedSecretĬisco-AVPair = "shell:priv-lvl=**" = reply – priv levels supported on Cisco by default1, 7, 15. On the Cisco side (may need tweaking depending on IOS version) you can normally get away with:Īaa authentication login default group radius localĪaa authorization exec default group radius localĪaa accounting network default start-stop group radiusĪaa accounting system default start-stop group radius
0 kommentar(er)
