topic Use aaa for enable prompt? in Network Access Control

Use aaa for enable prompt?

DynDarako — Mon, 11 Mar 2019 01:26:00 GMT

Hello,

Currently, I dont know how to have many users with different password. My switches are 2960-S.

aaa configuration:

aaa new-model

aaa authentication login default local

user:

username scd privilege 15 secret 5 $1$

username opst privilege 15 secret 5 $1$

username read privilege 7 secret 5 $1$

When i try to connect to my switch, I enter my username and my password, but I am not in enable mode then I enter enable but the switch doesnt ask me a password. It's not a problem with a personal username, but it's the same thing with a common username like read...

I try to enter this command:

"Enable secret <mypassword>"

In this case, all users must enter mypassword ! How to be enable with user's password with local base?

best regards,

Use aaa for enable prompt?

jliscano — Wed, 28 Sep 2011 00:03:30 GMT

Hi -

I believe you can setup levels on the enable command. Here's the link: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfpass.html#wp1001368. Read the 3rd paragraph from the bottom of "Protecting Passwords with Enable Password and Enable Secret" topic.

Hope this helps.

Re: Use aaa for enable prompt?

andressalazard — Wed, 28 Sep 2011 01:40:01 GMT

Here is another option:

We are half way to make this work. You already have authentication happening locally; we should be able to attach the user authentication to the assigned privilege by using authorization.

aaa new-model

aaa authentication login default local

aaa authorization exec default local <<< Once you add this the Switch will place the new authenticated user into the correct Privilege level.

The users will not be prompt for the enable password, but will jump directly into the enable mode. You could confirm the privilege level assigned to the user with the show priv command.

The original enable password/secret would still be there, if you allow users access to the enable command, then they can still jump into the Full Privilege Enable mode (15). This can be avoided by giving the users a lower privilege level, then moving the enable command up to a higher privilege level.

I don't have a switch with me at this moment to test the cli, but I think the command to change the privilege would be:

Switch(config)#privilege exec level X enable

where X is the new privilege evel. Of course the junior user should be in a lower level in order to not reach the command.

HTH,

Did you find this post helpful?

Use aaa for enable prompt?

DynDarako — Thu, 29 Sep 2011 07:53:56 GMT

HI,

Thanks for your post.

I show my aaa configuration:

aaa authentication login default local

aaa authorization console

aaa authorization exec default local

After, i try to enter your command:

privilege exec level 15 enable

But it doesnt work! Indeed, after my connection, i enter this command:

show privilege

Current privilege level is 1

Whereas in my configuraiton my user is level 15...

Use aaa for enable prompt?

cadet alain — Thu, 29 Sep 2011 15:24:37 GMT

Hi,

why don't you just do this:

aaa authentication enable default local

Regards.

Alain.

Use aaa for enable prompt?

DynDarako — Fri, 30 Sep 2011 10:25:13 GMT

Hi,

This command doesn't exist in my IOS...

aaa authentication enable default local

% Invalid input detected at '^' marker.

My choices are:

cache Use Cached-group

enable Use enable password for authentication.

group Use Server-group

line Use line password for authentication.

none NO authentication.

No option solves the problem.

Best regards,

Re: Use aaa for enable prompt?

Josh732532 — Fri, 02 Aug 2024 12:59:38 GMT

Same issue on 9300, invalid input, did this ever get solved? Cisco authentication is a mess.