https://community.cisco.com/t5/network-access-control/explanation-aaa-commands/m-p/4872651#M582841 <P>...</P> Wed, 12 Jul 2023 16:29:33 GMT MHM Cisco World 2023-07-12T16:29:33Z https://community.cisco.com/t5/network-access-control/explanation-aaa-commands/m-p/4872640#M582838 <P>Hello,</P> <P>unfortunately I did not get smart from google. With the following command configure AAA so that I can log in from a Radius server. I understand that and if I add enable at the end, then the enable password is virtually fallback. Now our configuration looks like this and when I log in I get directly into the enable mode.</P> <P>aaa authentication login default local group RADIUS_AUTH</P> <P>aaa authorization exec default local group RADIUS_AUTH if-authenticated</P> <P>&nbsp;</P> <P>But what is the following configuration good for? We do not have this in use, but it is always written so that it is the login to the enable mode. What is the difference here?</P> <P>aaa authentication enable default group RADIUS_AUTH</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Why do I get automatically into the enalbe mode, without the above mentioned command? Is there something additional configured on the AAA server?</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> Wed, 12 Jul 2023 15:56:35 GMT https://community.cisco.com/t5/network-access-control/explanation-aaa-commands/m-p/4872640#M582838 mgollob 2023-07-12T15:56:35Z https://community.cisco.com/t5/network-access-control/explanation-aaa-commands/m-p/4872646#M582840 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1478687">@mgollob</a>&nbsp;,</P><P>The "aaa authentication enable" command is used to configure authentication for accessing the enable mode on a Cisco device. <U>By default</U>, if you have not explicitly configured authentication for the enable mode, the device will allow direct access to the enable mode without requiring any additional authentication.</P><P>In your current configuration, you have the following authentication configuration:</P><LI-CODE lang="markup">aaa authentication login default local group RADIUS_AUTH aaa authorization exec default local group RADIUS_AUTH if-authenticated</LI-CODE><P>This configuration specifies that the login authentication should be performed using the local database first, and if that fails, it should fall back to the RADIUS server specified in the RADIUS_AUTH group.</P><P>The "aaa authentication enable" command is not present in your configuration, which means that authentication is not explicitly configured for the enable mode. <U>In this case, the device allows direct access to the enable mode without any additional authentication.</U></P><P>If you want to require authentication for the enable mode as well, you can add the following command:</P><LI-CODE lang="markup">aaa authentication enable default group RADIUS_AUTH</LI-CODE><P>This configuration would then use the RADIUS server specified in the RADIUS_AUTH group for authentication when accessing the enable mode.</P><P>It's possible that there might be additional configuration on the AAA server (such as group settings or permissions) that automatically grants access to the enable mode after successful authentication. You may need to check the configuration on the AAA server to determine if there are any additional settings influencing the behavior you are experiencing.</P> Wed, 12 Jul 2023 16:18:45 GMT https://community.cisco.com/t5/network-access-control/explanation-aaa-commands/m-p/4872646#M582840 M02@rt37 2023-07-12T16:18:45Z https://community.cisco.com/t5/network-access-control/explanation-aaa-commands/m-p/4872651#M582841 <P>...</P> Wed, 12 Jul 2023 16:29:33 GMT https://community.cisco.com/t5/network-access-control/explanation-aaa-commands/m-p/4872651#M582841 MHM Cisco World 2023-07-12T16:29:33Z