09-12-2008 04:46 AM - edited 03-10-2019 04:05 PM
Hello
Got a windows AD with a Cisco ACS 4.2 setup infront of it.
I have configured so that our firewalls (pix/asa) has AAA configuration now and it works well.
But today when I was gonna configure our switches with the same login system i've encounterd problems with the command "enable"
I'm using Radius and not tacacs.
Why does "Enable" work for my users in the firewalls and not the switches?
Firewall Conf:
aaa-server auth (inside) host 192.168.100.50 <key> timeout 5
aaa authentication telnet console auth LOCAL
aaa authentication ssh console auth LOCAL
aaa authentication enable console auth LOCAL
When configuring AAA in the switch I encounter this debug message
Sep 12 11:01:23.966: RADIUS: Authenticating using $enab15$
Sep 12 11:01:23.966: RADIUS: Pick NAS IP for u=0x272E1E4 tableid=0 cfg_addr=0.0.0.0
Sep 12 11:01:23.966: RADIUS: ustruct sharecount=1
Sep 12 11:01:23.966: Radius: radius_port_info() success=1 radius_nas_port=1
Sep 12 11:01:23.966: RADIUS(00000000): Send Access-Request to 192.168.100.50:1645 id 1645/26, len 88
Sep 12 11:01:23.966: RADIUS: authenticator 60 30 66 23 E1 D3 5B C7 - 38 B8 65 B8 2B 33 B4 6E
Sep 12 11:01:23.966: RADIUS: NAS-IP-Address [4] 6 192.168.100.1
Sep 12 11:01:23.966: RADIUS: NAS-Port [5] 6 2
Sep 12 11:01:23.966: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Sep 12 11:01:23.966: RADIUS: User-Name [1] 10 "$enab15$"
Sep 12 11:01:23.966: RADIUS: Calling-Station-Id [31] 16 "192.168.75.172"
Sep 12 11:01:23.966: RADIUS: User-Password [2] 18 *
Sep 12 11:01:23.966: RADIUS: Service-Type [6] 6 Administrative [6]
Sep 12 11:01:23.983: RADIUS: Received from id 1645/26 192.168.100.50:1645, Access-Reject, len 32
Sep 12 11:01:23.983: RADIUS: authenticator 3D 50 89 A2 A8 AB 43 C2 - A6 CA FB DF D4 9B 78 05
Sep 12 11:01:23.983: RADIUS: Reply-Message [18] 12
My googling has given me the info that I need to use Tacacs to make this AAA config to work with switches / routers.
My question is, why does it work for the ASA/Pix ?
Anyone got an idea?
Thanks
09-12-2008 05:29 AM
Hi,
Enable authentication was meant to function
with TACACS, and when used with RADIUS it does not perform the same. As a result, the
only way for you to get enable authentication to work with RADIUS would be to input the
username $enab15$ into your RADIUS server.
When using the Radius protocol for enable authentication on an IOS or CatOS based device, the router send a request to the Radius server for the username you mention --$enabl15.
The behavior is same on Pix/ASA
Hope that helps !
Regards,
~JG
Do rate helpful posts
09-12-2008 05:32 AM
Hi JG
But since the pix/asa uses radius and it works for those systems to use the "enable" command?
And I have not added the user "$enabl15" in the AD either.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: