You'll need the RADIUS server to do exec authorization to assign the users to privilege level 15 then. The config would look like this:
aaa new-model
aaa authentication login AUTHGROUP radius local
aaa authorization exec AUTHGROUP radius local
aaa authentication enable default enable
!
enable password XXXX
username ABC privilege 1 password XYZ
radius-server host 10.1.1.1
radius-server key XXXX
!
line vty 0 4
login authentication AUTHGROUP
authorization exec AUTHGROUP
Then for the user's settings on the radius server under the cisco-avpair add "shell:priv-lvl=15"
What this will do is that if the user authenticates and the RADIUS server is available it will authorize them to privilege level 15 automatically. If the RADIUS server is unavailable it with authorize them locally to privilege level 1, and then if they want to get to privilege 15 they'll have to use the regular enable password.
HTH,
Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan_at_INE.com
Internetwork Expert, Inc.
http://www.INE.com
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Shahid Mushtaq
Sent: Tuesday, January 24, 2012 1:45 AM
To: ccielab_at_groupstudy.com
Subject: AAA Implementation
Dears,
I have setup the AAA authentication with Radius Server which is working for telnet sessions but wants to tune in the following way.
Ask for "Enable password" only when the radius server is not available.
I have the following configs
======================================
aaa new-model
aaa authentication login AUTHGROUP radius local
aaa authentication enable default none
enable password XXXX
username ABC privilege 15 password XYZ
radius-server host 10.1.1.1
radius-server key XXXX
line vty 0 4
login authentication AUTHGROUP
========================================
Regards,
Shahid
Blogs and organic groups at http://www.ccie.net
Received on Tue Jan 24 2012 - 10:45:55 ART
This archive was generated by hypermail 2.2.0 : Thu Feb 02 2012 - 11:52:51 ART