Telnet logging to Cisco router with Radius authentication based on Windows 2008 R2

This time something else

Say you want to give a network admin access to a Cisco router via telnet with Radius authentication (user account is stored in AD).

The network admin is not a system admin so he does not have administrator rights on the AD domain but it has to have level 15 access to all Cisco devices.

Here is the configuration of the router (tested on Cisco 1800 Series)

enable secret 5 ############

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local

privilege configure level 7 snmp-server host
privilege configure level 7 snmp-server enable
privilege configure level 7 snmp-server
privilege exec level 7 ping
privilege exec level 7 configure terminal
privilege exec level 7 configure

line con 0
 password 7 ############
line aux 0
line vty 0 4
 password 7 ############
 transport input telnet

 session-timeout 60

Quick description:
enable secret 5 - password for admin level to restrict the use of "enable" command


aaa new-model - start the AAA configuration
aaa authentication login default group radius local - login authentication is done by the AAA mechanism in the following fasion:

•  first the default authentication group is used (I did not create my own authgroup for this example) and checked by a Radius server
•  if the server does not respond (and only then) - local user database is checked 

 aaa authorization exec default group radius local- command execution authorization is done in the same way as above.


The next set of commands is to create a new priviledge level. In Cisco IOS the admin level is 15. It has the full right on any hardware. Lower level must be defined before can be used.
In this case I created a 7th level of access with right to execute ping, enter configuration options and configure SNMP settings.


line vty 0 4 - telnet connection configuration (total of 5 lines - from 0 to 4)



Now for the Windows 2008 Server R2 side:

Network policy for level 15:

• Windows Group: NetAdmins
• Standard Attributes: 7 (Framed Protocol) - PPP, 6 (Service Type) - NAS Prompt
• Cisco Attributes AV-Pair: shell:priv-lvl=15

 Network policy for level 7:

• Windows Group: SomeoneElse
• Standard Attributes: 7 (Framed Protocol) - PPP, 6 (Service Type) - NAS Prompt
• Cisco Attributes AV-Pair: shell:priv-lvl=7

 Now when logging via telnet users belonging to NetAdmin group gain full access to router (without the need for "enable" command) while users from SomeoneElse group have only level 7.
If the other user would want the full access he would have to know the secret password