topic Hm so how would I prepare a in Network Access Control

AAA Enable authentication issue

Justin Westover — Mon, 11 Mar 2019 06:12:29 GMT

I have the below radius configuration set on my Cisco 2921 running 15.2(4)M6. I'm having issues with setting the enable password to also use the radius group. For example, If I add "aaa authentication enable default group RADIUS_GROUP enable" to the below config I can't get into the router, I keep getting prompted for an enable password. It doesn't take the locally configured enable password and it doesn't take my AAA password. What am I missing here?

aaa authentication login default group RADIUS_GROUP local-case
aaa accounting update periodic 60
aaa accounting exec default start-stop group RADIUS_GROUP
aaa accounting network default start-stop group RADIUS_GROUP
aaa accounting connection default start-stop group RADIUS_GROUP
aaa accounting system default start-stop group RADIUS_GROUP

Hi Justin,

Seb Rupik — Mon, 02 Nov 2015 07:56:27 GMT

Hi Justin,

It looks like you're missing an authZ statement:

!
aaa authorization exec default group RADIUS_GROUP local
!

cheers,

Seb.

Have you prepared your RADIUS

Karsten Iwen — Mon, 02 Nov 2015 09:17:45 GMT

Have you prepared your RADIUS-server to handle these requests?

For the login, the router sends the request with

NAS-Port-Type=Virtual
Service-Type=Login

and your username. For enable, the router sends

NAS-Port-Type=Virtual
User-Name="$enab15$"
Service-Type=Administrative

And think about using TACACS+ instead of RADIUS for this task (if possible), it's more powerful and flexible.

I added that command and

Justin Westover — Mon, 02 Nov 2015 15:53:33 GMT

I added that command and there's no difference, I'm still prompted for the enable password. I also tried putting the "if-authenticated" flag at the end of the authorization exec command but that also didn't work. It only allows me through enable if I use the local enable password on the router.

Hm so how would I prepare a

Justin Westover — Mon, 02 Nov 2015 15:56:15 GMT

Hm so how would I prepare a Radius server to handle this request? I do see these in the logs so you're correct. Would this be an authorization policy? I did try creating a new authorization policy granting shell:lv15 access (shell:priv-1v1=15), this didn't work either. Here's my AAA config on the router now:

aaa authentication login default group RADIUS_GROUP local-case
aaa authorization config-commands
aaa authorization exec default group RADIUS_GROUP local if-authenticated
aaa accounting update periodic 60
aaa accounting exec default start-stop group RADIUS_GROUP
aaa accounting network default start-stop group RADIUS_GROUP
aaa accounting connection default start-stop group RADIUS_GROUP
aaa accounting system default start-stop group RADIUS_GROUP

Justin,

Jagdeep Gambhir — Mon, 02 Nov 2015 20:55:53 GMT

Justin,

Why do you want to use enable password configured on the radius server? Enable authentication was designed for tacacs but also start using it with radius.

Please check if you see any logs when enable authen fails to log you in? Do we have User-Name="$enab15$ configured on radius?

Regards,

~JG

So for now I've entered the

Justin Westover — Thu, 05 Nov 2015 02:41:09 GMT

So for now I've entered the "aaa authentication enable default none" command. I don't like it but until we get TACACS implemented it will make our life a little easier.

Did you ever get this

ppalmerjr — Thu, 31 Mar 2016 14:57:48 GMT

Did you ever get this resolved. I have a similar issue where I have OpenLDAP with a NetworkAdmins group. This group, I want to have full priv15 and the users should drop into enable mode upon their initial log in.

I have it working to where the user can authenticate into user mode but then when I enable it sends another request to freeradius with the username "$enab15$" and obviously this fails since there is no user in LDAP with this username.

I tried entering in the shell in the users file(freeradius) but with no success. And I do not wnat to have a shared enable password.

There has to be a way to do this.