Enabling manager access privilege (optional)
In the default RADIUS operation, the switch automatically
admits any authenticated client to the login (operator) privilege
level, even if the RADIUS server specifies enable (manager) access
for that client. Thus, an authenticated user authorized for the manager
privilege level must authenticate again to change privilege levels.
Using the optional login privilege-mode command
overrides this default behavior for clients with enable access. That
is, with privilege-mode enabled, the switch immediately
allows enable (manager) access to a client for whom the RADIUS server
specifies this access level.
Syntax:
[no] aaa authentication login privilege-mode
When enabled, the switch reads the Service-Type field in the client authentication received from a RADIUS server. The following table describes the applicableService-Type values and corresponding client access levels the switch allows upon authentication by the server.
Service-type |
Value |
Client access level |
|---|---|---|
Administrative-user |
6 |
manager |
NAS-prompt-user |
7 |
operator |
Any other type |
Any value except 6 or 7 |
Access Denied |
This feature applies to console (serial port), Telnet, SSH, and WebAgent access to the switch. It does not apply to 802.1X port-access.
While this option is enabled, a Service-Type value other than 6 or 7, or an unconfigured (null) Service-Type causes the switch to deny access to the requesting client.
The no form of
the command returns the switch to the default RADIUS authentication
operation. The default behavior for most interfaces is that a client
authorized by the RADIUS server for Enable (manager) access will be
prompted twice, once for Login (operator) access and once for Enable
access. In the default RADIUS authentication operation, the WebAgent
requires only one successful authentication request. For more information
on configuring the Service Type in your RADIUS application, see the
documentation provided with the application.