Hi Justin,

Justin Westover · ‎11-01-2015

I have the below radius configuration set on my Cisco 2921 running 15.2(4)M6. I'm having issues with setting the enable password to also use the radius group. For example, If I add "aaa authentication enable default group RADIUS_GROUP enable" to the below config I can't get into the router, I keep getting prompted for an enable password. It doesn't take the locally configured enable password and it doesn't take my AAA password. What am I missing here?

aaa authentication login default group RADIUS_GROUP local-case
aaa accounting update periodic 60
aaa accounting exec default start-stop group RADIUS_GROUP
aaa accounting network default start-stop group RADIUS_GROUP
aaa accounting connection default start-stop group RADIUS_GROUP
aaa accounting system default start-stop group RADIUS_GROUP

Seb Rupik · ‎11-01-2015

Hi Justin,

It looks like you're missing an authZ statement:

!
aaa authorization exec default group RADIUS_GROUP local
!

cheers,

Seb.

Justin Westover · ‎11-02-2015

I added that command and there's no difference, I'm still prompted for the enable password. I also tried putting the "if-authenticated" flag at the end of the authorization exec command but that also didn't work. It only allows me through enable if I use the local enable password on the router.

Jagdeep Gambhir · ‎11-02-2015

Justin,

Why do you want to use enable password configured on the radius server? Enable authentication was designed for tacacs but also start using it with radius.

Please check if you see any logs when enable authen fails to log you in? Do we have User-Name="$enab15$ configured on radius?

Regards,

~JG

Justin Westover · ‎11-04-2015

So for now I've entered the "aaa authentication enable default none" command. I don't like it but until we get TACACS implemented it will make our life a little easier.

ppalmerjr · ‎03-31-2016

Did you ever get this resolved. I have a similar issue where I have OpenLDAP with a NetworkAdmins group. This group, I want to have full priv15 and the users should drop into enable mode upon their initial log in.

I have it working to where the user can authenticate into user mode but then when I enable it sends another request to freeradius with the username "$enab15$" and obviously this fails since there is no user in LDAP with this username.

I tried entering in the shell in the users file(freeradius) but with no success. And I do not wnat to have a shared enable password.

There has to be a way to do this.

Karsten Iwen · ‎11-02-2015

Have you prepared your RADIUS-server to handle these requests?

For the login, the router sends the request with

NAS-Port-Type=Virtual
Service-Type=Login

and your username. For enable, the router sends

NAS-Port-Type=Virtual
User-Name="$enab15$"
Service-Type=Administrative

And think about using TACACS+ instead of RADIUS for this task (if possible), it's more powerful and flexible.

Justin Westover · ‎11-02-2015

Hm so how would I prepare a Radius server to handle this request? I do see these in the logs so you're correct. Would this be an authorization policy? I did try creating a new authorization policy granting shell:lv15 access (shell:priv-1v1=15), this didn't work either. Here's my AAA config on the router now:

aaa authentication login default group RADIUS_GROUP local-case
aaa authorization config-commands
aaa authorization exec default group RADIUS_GROUP local if-authenticated
aaa accounting update periodic 60
aaa accounting exec default start-stop group RADIUS_GROUP
aaa accounting network default start-stop group RADIUS_GROUP
aaa accounting connection default start-stop group RADIUS_GROUP
aaa accounting system default start-stop group RADIUS_GROUP

AAA Enable authentication issue