https://community.cisco.com/t5/network-access-control/quot-ip-radius-source-loop0-quot-not-working-for-enable/m-p/1183981#M405494 <HTML><HEAD></HEAD><BODY><P>It is not a radius source issue. </P><P></P><P>Enable authentication was actually designed to work with TACACS. In IOS devices when we do "enable" authentication using the Radius protocol, the username sent to Radius Server (ACS), is not the one with which you logged in. It is "$enab15$", if you check the failed logs, I am sure you'll see that username. In case of Radius you would be required to create a user account with the username "$enab15$" and use the password for this account to be able to log into enable privilege mode.</P><P></P><P></P><P>Regards,</P><P>~JG</P><P></P><P>Do rate helpful posts</P><P></P></BODY></HTML> Thu, 09 Apr 2009 20:03:01 GMT Jagdeep Gambhir 2009-04-09T20:03:01Z https://community.cisco.com/t5/network-access-control/quot-ip-radius-source-loop0-quot-not-working-for-enable/m-p/1183980#M405493 <P>Hi All,</P><P></P><P>We have recently upgraded one of our routers to version 12.2SR.</P><P>One of the problems we are facing is that radius authentication is not working correcly for the enable part.</P><P></P><P>We are using loopback address as a source.</P><P></P><P>ip radius source-interface Loopback0</P><P></P><P>while for the user authentication the request from the router is using the loopback address, for the enable is using the physical address!!! we tried to remove and add all the aaa commands but same thing. This is not the case for older version i.e. 12.2SX</P><P></P><P>Find below the aaa and radius commands.</P><P></P><P>aaa new-model</P><P>aaa authentication login my_radius group radius local</P><P></P><P>aaa authentication enable default group radius enable</P><P></P><P>aaa session-id common</P><P>no cns aaa enable</P><P></P><P>aaa authentication login my_radius group radius local</P><P></P><P>aaa authentication enable default group radius enable</P><P></P><P>ip radius source-interface Loopback0 </P><P></P><P>radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxx</P> Sun, 10 Mar 2019 23:25:55 GMT https://community.cisco.com/t5/network-access-control/quot-ip-radius-source-loop0-quot-not-working-for-enable/m-p/1183980#M405493 pavlosd 2019-03-10T23:25:55Z https://community.cisco.com/t5/network-access-control/quot-ip-radius-source-loop0-quot-not-working-for-enable/m-p/1183981#M405494 <HTML><HEAD></HEAD><BODY><P>It is not a radius source issue. </P><P></P><P>Enable authentication was actually designed to work with TACACS. In IOS devices when we do "enable" authentication using the Radius protocol, the username sent to Radius Server (ACS), is not the one with which you logged in. It is "$enab15$", if you check the failed logs, I am sure you'll see that username. In case of Radius you would be required to create a user account with the username "$enab15$" and use the password for this account to be able to log into enable privilege mode.</P><P></P><P></P><P>Regards,</P><P>~JG</P><P></P><P>Do rate helpful posts</P><P></P></BODY></HTML> Thu, 09 Apr 2009 20:03:01 GMT https://community.cisco.com/t5/network-access-control/quot-ip-radius-source-loop0-quot-not-working-for-enable/m-p/1183981#M405494 Jagdeep Gambhir 2009-04-09T20:03:01Z https://community.cisco.com/t5/network-access-control/quot-ip-radius-source-loop0-quot-not-working-for-enable/m-p/1183982#M405495 <HTML><HEAD></HEAD><BODY><P>Hi JG,</P><P></P><P>we have already defined the "$enab15$" user. As I told you, the problem is that user authentication is using loopback address as a source, while enable is using local interface address. I can confirm this because, we added local address to the radius, till we sort out the problem.</P></BODY></HTML> Wed, 15 Apr 2009 12:08:05 GMT https://community.cisco.com/t5/network-access-control/quot-ip-radius-source-loop0-quot-not-working-for-enable/m-p/1183982#M405495 pavlosd 2009-04-15T12:08:05Z https://community.cisco.com/t5/network-access-control/quot-ip-radius-source-loop0-quot-not-working-for-enable/m-p/1183983#M405496 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>It seems we are hitting this bug,</P><P></P><P>ip radius source-interface ignored during enable authentication </P><P></P><P></P><P><A class="jive-link-custom" href="http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&amp;method=fetchBugDetails&amp;bugId=CSCsg01035" target="_blank">http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&amp;method=fetchBugDetails&amp;bugId=CSCsg01035</A></P><P></P><P>Regards,</P><P>~JG</P><P></P><P>Do rate helpful posts</P><P></P><P></P><P></P></BODY></HTML> Wed, 15 Apr 2009 15:20:10 GMT https://community.cisco.com/t5/network-access-control/quot-ip-radius-source-loop0-quot-not-working-for-enable/m-p/1183983#M405496 Jagdeep Gambhir 2009-04-15T15:20:10Z