Vendor Specific Attributes - Cisco IOS and IOSXE - NPS

Trying to implement MFA on Cisco switches with DUO proxy and Microsoft NPS. I have it working but I cannot figure out how to get it to pass the vendor attributes properly so that user is dropped into priv level 15.


On NPS I have the following set up under “Vendor Specific”
Name: Cisco-AV-Pair
Vendor: Cisco
Value: shell:priv-lvl:15

Neither pass_through option works when uncommented. The user is dropped to priv 1 and then must authenticate with local credentials to enter priv 15.

If I turn on pass_through_all=true then the switch comes back with the following error:
Line has invalid autocommand " ppp negotiate"Connection to xxxx

I have no PPP settings set in NPS that I can see at all. The only line I have under Standard Radius Attributes is: Filter-id

Any ideas?