https://community.cisco.com/t5/network-access-control/password-required-but-none-set-ssh/m-p/2387545#M134286 <HTML><HEAD></HEAD><BODY><P>Ealey</P><P></P><P>This is a bit of an odd behavior. I suspect that it has something to do with changes in IOS 15.0. </P><P></P><P>I think that part of the issue is that you have not provided any aaa authentication commands for access to enable mode. Would you want to control access to enable mode through Radius similar to what you do for user mode? Or would you want to just use the enable password. I suspect that if you put that into the configuration that it might solve this issue. It might look like this if you want to use radius</P><P>aaa authentication enable default group radius enable</P><P>or it might look like this if you want just the enable password</P><P>aaa authentication enable default enable</P><P></P><P>Give one of these a try and let us know if it helps.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Wed, 20 Nov 2013 03:05:55 GMT Richard Burts 2013-11-20T03:05:55Z https://community.cisco.com/t5/network-access-control/password-required-but-none-set-ssh/m-p/2387544#M134285 <P>Hi,</P><P></P><P>I am stumped...I several 3750x switches (IOS 15.0(2)SE4) configured to authenticate through NPS (radius).&nbsp; When I ssh into those switches, I can authenticate via Radius successfully.&nbsp; However, when I type enable, I get this message: password required but none set....password:____.&nbsp; It will accept my enable password without issues.&nbsp; </P><P></P><P>I have 3750g switches and do not encounter this message when typing in my enable password.&nbsp; </P><P></P><P>I'm trying to figure out what is causing that message.&nbsp; This is my configuration for aaa, loging, and line vty:</P><P></P><P>service password-encryption</P><P></P><P>aaa new-model</P><P>aaa authentication login default group radius local-case</P><P>aaa authorization exec default group radius if-authenticated</P><P>aaa session-id common</P><P></P><P>username admin1 privilege 0 password Admin12!@&nbsp;&nbsp;&nbsp; //changed username &amp; password</P><P></P><P>enable secret 5 ***************</P><P></P><P>line vty 0 4</P><P>session-timeout 10</P><P>logging synchronous</P><P>transport preferred none</P><P>transport input ssh</P><P>transport output none</P><P></P><P>Thanks,</P><P>Ealey</P> Mon, 11 Mar 2019 04:06:49 GMT https://community.cisco.com/t5/network-access-control/password-required-but-none-set-ssh/m-p/2387544#M134285 Ealey Seto 2019-03-11T04:06:49Z https://community.cisco.com/t5/network-access-control/password-required-but-none-set-ssh/m-p/2387545#M134286 <HTML><HEAD></HEAD><BODY><P>Ealey</P><P></P><P>This is a bit of an odd behavior. I suspect that it has something to do with changes in IOS 15.0. </P><P></P><P>I think that part of the issue is that you have not provided any aaa authentication commands for access to enable mode. Would you want to control access to enable mode through Radius similar to what you do for user mode? Or would you want to just use the enable password. I suspect that if you put that into the configuration that it might solve this issue. It might look like this if you want to use radius</P><P>aaa authentication enable default group radius enable</P><P>or it might look like this if you want just the enable password</P><P>aaa authentication enable default enable</P><P></P><P>Give one of these a try and let us know if it helps.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Wed, 20 Nov 2013 03:05:55 GMT https://community.cisco.com/t5/network-access-control/password-required-but-none-set-ssh/m-p/2387545#M134286 Richard Burts 2013-11-20T03:05:55Z https://community.cisco.com/t5/network-access-control/password-required-but-none-set-ssh/m-p/2387546#M134287 <HTML><HEAD></HEAD><BODY><P>Rick,</P><P></P><P>Thanks for the response.&nbsp; Since I want the authentication to start with Radius then local, I tried your AAA enable statement to this:</P><P></P><P>aaa authentication login default group radius local-case enable</P><P></P><P>No luck.&nbsp; I'm still getting that statement.&nbsp; However, I am going to revert back to an eariler IOS to see if it is a quirk with the 15.0(2)SE4.&nbsp; </P><P></P><P>I'll let you know if it works.&nbsp; </P><P></P><P>Thanks,</P><P>Ealey</P></BODY></HTML> Wed, 20 Nov 2013 20:27:05 GMT https://community.cisco.com/t5/network-access-control/password-required-but-none-set-ssh/m-p/2387546#M134287 Ealey Seto 2013-11-20T20:27:05Z https://community.cisco.com/t5/network-access-control/password-required-but-none-set-ssh/m-p/2387547#M134288 <HTML><HEAD></HEAD><BODY><P>Hi there,</P><P></P><P>Try adding the enable line in.</P><P></P><P>eg&nbsp; aaa authentication enable default group radius enable</P><P></P><P>Regards,</P><P></P><P>Brad</P></BODY></HTML> Thu, 21 Nov 2013 01:16:25 GMT https://community.cisco.com/t5/network-access-control/password-required-but-none-set-ssh/m-p/2387547#M134288 bmcginn 2013-11-21T01:16:25Z https://community.cisco.com/t5/network-access-control/password-required-but-none-set-ssh/m-p/2387548#M134289 <HTML><HEAD></HEAD><BODY><P>Pls set the privilege level in the local user database using the following method.</P><P></P><P>username cisco password cisco</P><P>username cisco privilege 15</P></BODY></HTML> Thu, 21 Nov 2013 04:57:24 GMT https://community.cisco.com/t5/network-access-control/password-required-but-none-set-ssh/m-p/2387548#M134289 Saurav Lodh 2013-11-21T04:57:24Z https://community.cisco.com/t5/network-access-control/password-required-but-none-set-ssh/m-p/2387549#M134290 <HTML><HEAD></HEAD><BODY><P>My local username is set at 0.&nbsp; </P><P></P><P>Regardless, the message appears with Radius or local login authentication.</P><P></P><P>Thanks,</P><P>Ealey</P></BODY></HTML> Thu, 21 Nov 2013 14:03:34 GMT https://community.cisco.com/t5/network-access-control/password-required-but-none-set-ssh/m-p/2387549#M134290 Ealey Seto 2013-11-21T14:03:34Z https://community.cisco.com/t5/network-access-control/password-required-but-none-set-ssh/m-p/2387550#M134291 <HTML><HEAD></HEAD><BODY><P>Ealey</P><P></P><P>Thank you for letting us know that you have verified that the behavior is related to the version of code that is running. That is helpful to know.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Thu, 21 Nov 2013 15:46:47 GMT https://community.cisco.com/t5/network-access-control/password-required-but-none-set-ssh/m-p/2387550#M134291 Richard Burts 2013-11-21T15:46:47Z https://community.cisco.com/t5/network-access-control/password-required-but-none-set-ssh/m-p/2387551#M134292 <HTML><HEAD></HEAD><BODY><P>Brad,</P><P></P><P>I modified it a bit since we don't use radius for our enable.&nbsp; </P><P></P><P>aaa authentication enable default enable</P><P></P><P>Strange that we have to spell out where our enable password is coming from.&nbsp; </P><P></P><P>Thanks,</P><P>Ealey</P></BODY></HTML> Fri, 22 Nov 2013 19:27:43 GMT https://community.cisco.com/t5/network-access-control/password-required-but-none-set-ssh/m-p/2387551#M134292 Ealey Seto 2013-11-22T19:27:43Z https://community.cisco.com/t5/network-access-control/password-required-but-none-set-ssh/m-p/2387552#M134293 <HTML><HEAD></HEAD><BODY><P>Ealey</P><P></P><P>I wonder if it has something to do with the fact that you are using a type 5 enable secret. Early versions of 15.0, such as the one that you were running, were going to deprecate the type 5 enable secret in favor of a type 4 enable secret. Cisco has since then changed their position and the type 5 enable secret is still the standard. But I wonder if in that early version of code that was running if the code was not happy about using a type 5 enable secret.</P><P></P><P>Or maybe it was just a buggy behavior that got corrected. In any case now you have it doing the behavior that you wanted. And that is a good thing <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Fri, 22 Nov 2013 22:14:26 GMT https://community.cisco.com/t5/network-access-control/password-required-but-none-set-ssh/m-p/2387552#M134293 Richard Burts 2013-11-22T22:14:26Z https://community.cisco.com/t5/network-access-control/password-required-but-none-set-ssh/m-p/3818692#M134294 aaa authentication enable default enable<BR />worked for me. Thanks! Wed, 13 Mar 2019 10:03:55 GMT https://community.cisco.com/t5/network-access-control/password-required-but-none-set-ssh/m-p/3818692#M134294 richard_artes 2019-03-13T10:03:55Z