Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
472
Views
3
Helpful
2
Replies

AAA config for "enable" in switch vs firewall.

azore2007
Level 1
Level 1

‎09-12-2008 04:46 AM - edited ‎03-10-2019 04:05 PM

Hello

Got a windows AD with a Cisco ACS 4.2 setup infront of it.

I have configured so that our firewalls (pix/asa) has AAA configuration now and it works well.

But today when I was gonna configure our switches with the same login system i've encounterd problems with the command "enable"

I'm using Radius and not tacacs.

Why does "Enable" work for my users in the firewalls and not the switches?

Firewall Conf:

aaa-server auth (inside) host 192.168.100.50 <key> timeout 5

aaa authentication telnet console auth LOCAL

aaa authentication ssh console auth LOCAL

aaa authentication enable console auth LOCAL

When configuring AAA in the switch I encounter this debug message

Sep 12 11:01:23.966: RADIUS: Authenticating using $enab15$

Sep 12 11:01:23.966: RADIUS: Pick NAS IP for u=0x272E1E4 tableid=0 cfg_addr=0.0.0.0

Sep 12 11:01:23.966: RADIUS: ustruct sharecount=1

Sep 12 11:01:23.966: Radius: radius_port_info() success=1 radius_nas_port=1

Sep 12 11:01:23.966: RADIUS(00000000): Send Access-Request to 192.168.100.50:1645 id 1645/26, len 88

Sep 12 11:01:23.966: RADIUS: authenticator 60 30 66 23 E1 D3 5B C7 - 38 B8 65 B8 2B 33 B4 6E

Sep 12 11:01:23.966: RADIUS: NAS-IP-Address [4] 6 192.168.100.1

Sep 12 11:01:23.966: RADIUS: NAS-Port [5] 6 2

Sep 12 11:01:23.966: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

Sep 12 11:01:23.966: RADIUS: User-Name [1] 10 "$enab15$"

Sep 12 11:01:23.966: RADIUS: Calling-Station-Id [31] 16 "192.168.75.172"

Sep 12 11:01:23.966: RADIUS: User-Password [2] 18 *

Sep 12 11:01:23.966: RADIUS: Service-Type [6] 6 Administrative [6]

Sep 12 11:01:23.983: RADIUS: Received from id 1645/26 192.168.100.50:1645, Access-Reject, len 32

Sep 12 11:01:23.983: RADIUS: authenticator 3D 50 89 A2 A8 AB 43 C2 - A6 CA FB DF D4 9B 78 05

Sep 12 11:01:23.983: RADIUS: Reply-Message [18] 12

My googling has given me the info that I need to use Tacacs to make this AAA config to work with switches / routers.

My question is, why does it work for the ASA/Pix ?

Anyone got an idea?

Thanks

Labels:
0 Helpful
2 Replies 2

Jagdeep Gambhir
Level 10
Level 10

‎09-12-2008 05:29 AM

Hi,

Enable authentication was meant to function

with TACACS, and when used with RADIUS it does not perform the same. As a result, the

only way for you to get enable authentication to work with RADIUS would be to input the

username $enab15$ into your RADIUS server.

When using the Radius protocol for enable authentication on an IOS or CatOS based device, the router send a request to the Radius server for the username you mention --$enabl15.

The behavior is same on Pix/ASA

Hope that helps !

Regards,

~JG

Do rate helpful posts

azore2007
Level 1
Level 1
In response to Jagdeep Gambhir

‎09-12-2008 05:32 AM

Hi JG

But since the pix/asa uses radius and it works for those systems to use the "enable" command?

And I have not added the user "$enabl15" in the AD either.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents