How to Authorize group from AD
Douglas C. Stephens
stephend at ameslab.gov
Mon Feb 4 15:22:09 CET 2019
There is additional config you need on the switch.
If you're running IOS or IOS-XE (e.g., on a Catalyst series switch),
you need to add "aaa new-model" and "aaa authorization exec" to your
The latter must include as parameters "group <RADNAME>", where
"<RADNAME>" is either "radius" (to use the sole or default set of
configured RADIUS servers), or is the name of a group of RADIUS
servers defined by "aaa group server radius <RADNAME>".
As you'll see in docs, "aaa authorization exec" can have multiple
ordered authorization sources (e.g., local-then-RADIUS), just like
when you defined "aaa authentication login".
On 2/1/2019 12:28 PM, Matthew Newton wrote:
> On Fri, 2019-02-01 at 12:52 -0500, Alan DeKok wrote:
>> On Feb 1, 2019, at 10:50 AM, Maicon Luis <maiconlp at hotmail.com>
>>> I have done the follow lines on “user” file
>>> user1 Service-Type = NAS-Prompt-User, Cisco-AVPair =
>>> "shell:priv-lvl=15", Fall-Through = Yes
>> And what are the "right" attributes? I don't know. Read the
>> Cisco docs to see what their product needs.
> I believe they are the right attributes - at least, I've seen it
> working with those before.
> So it's either that the RADIUS server isn't returning them (run in
> debug mode `radiusd -X` to see), or that there is additional
> config needed on the switch.
Douglas C. Stephens | Network Systems Analyst
Enterprise Information Services | Phone: (515) 294-6102
Ames Laboratory, US DOE | Email: stephend at ameslab.gov
More information about the Freeradius-Users