How to Authorize group from AD

Douglas C. Stephens stephend at
Mon Feb 4 15:22:09 CET 2019


There is additional config you need on the switch.

If you're running IOS or IOS-XE (e.g., on a Catalyst series switch),
you need to add "aaa new-model" and "aaa authorization exec" to your

The latter must include as parameters "group <RADNAME>", where
"<RADNAME>" is either "radius" (to use the sole or default set of
configured RADIUS servers), or is the name of a group of RADIUS
servers defined by "aaa group server radius <RADNAME>".

As you'll see in docs, "aaa authorization exec" can have multiple
ordered authorization sources (e.g., local-then-RADIUS), just like
when you defined "aaa authentication login".

On 2/1/2019 12:28 PM, Matthew Newton wrote:
> On Fri, 2019-02-01 at 12:52 -0500, Alan DeKok wrote:
>> On Feb 1, 2019, at 10:50 AM, Maicon Luis <maiconlp at> 
>> wrote:
>>> I have done the follow lines on “user” file
>>> user1 Service-Type = NAS-Prompt-User, Cisco-AVPair =
>>> "shell:priv-lvl=15", Fall-Through = Yes
>> And what are the "right" attributes?  I don't know.  Read the
>> Cisco docs to see what their product needs.
> I believe they are the right attributes - at least, I've seen it 
> working with those before.
> So it's either that the RADIUS server isn't returning them (run in 
> debug mode `radiusd -X` to see), or that there is additional
> config needed on the switch.

Douglas C. Stephens		| Network Systems Analyst
Enterprise Information Services | Phone: (515) 294-6102
Ames Laboratory, US DOE         | Email: stephend at

More information about the Freeradius-Users mailing list