So I'd like to get some clarification please if what I believe I'm seeing is correct. I'm trying to configure RADIUS authentication with on a Cisco SG500X switch using the FortiAuthenticator for Radius. The "Small Business" Cisco switches don't have a full version of IOS running on them, but I have this working where a member of a Remote LDAP group on the FA logins into the switch SSH it will log them in with priv lvl 1. What I want is to boost this to priv lvl 15, and on a normal IOS switch you would return Cisco-Av-Pair = priv-lvl-15 Radius attribute.

I have attempted to configure this attribute, along with Service-Type = Administrative-User against my Remote LDAP group, but a packet capture shows that the FA is not sending the Radius attributes at all in its Access-Accept packet.

My question is, is this because the FA is looking for a Vendor-Specfic(26) of Cisco as opposed to CiscoSystems in the Access-Request packet? See AVP from Wireshark:

Access-Request:

RADIUS Protocol     Code: Access-Request (1)     Packet identifier: 0x92 (146)     Length: 91     Authenticator: dc040000eb67000083260000a5500000     [The response to this request is in frame 16]     Attribute Value Pairs         AVP: l=13 t=User-Name(1): **********             User-Name: **********         AVP: l=18 t=User-Password(2): Encrypted             User-Password (encrypted): **********         AVP: l=24 t=Vendor-Specific(26) v=ciscoSystems(9)             VSA: l=18 t=Cisco-AVPair(1): shell:priv-lvl=1                 Cisco-AVPair: shell:priv-lvl=1         AVP: l=6 t=NAS-IP-Address(4): 0.0.0.0             NAS-IP-Address: 0.0.0.0         AVP: l=10 t=Acct-Session-Id(44): 0500009D             Acct-Session-Id: 0500009D

Access-Accept:

RADIUS Protocol     Code: Access-Accept (2)     Packet identifier: 0x92 (146)     Length: 20     Authenticator: 9f843da063da5f24b06058248e81534b     [This is a response to a request in frame 15]     [Time from request: 0.007331000 seconds]