cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2164
Views
0
Helpful
7
Replies
Highlighted

AAA Enable authentication issue

I have the below radius configuration set on my Cisco 2921 running 15.2(4)M6. I'm having issues with setting the enable password to also use the radius group. For example, If I add "aaa authentication enable default group RADIUS_GROUP enable" to the below config I can't get into the router, I keep getting prompted for an enable password. It doesn't take the locally configured enable password and it doesn't take my AAA password. What am I missing here? 

aaa authentication login default group RADIUS_GROUP local-case
aaa accounting update periodic 60
aaa accounting exec default start-stop group RADIUS_GROUP
aaa accounting network default start-stop group RADIUS_GROUP
aaa accounting connection default start-stop group RADIUS_GROUP
aaa accounting system default start-stop group RADIUS_GROUP

7 REPLIES 7
Highlighted
VIP Advisor

Hi Justin,

Hi Justin,

It looks like you're missing an authZ statement:

!
aaa authorization exec default group RADIUS_GROUP local
!

cheers,

Seb.

Highlighted

I added that command and

I added that command and there's no difference, I'm still prompted for the enable password. I also tried putting the "if-authenticated" flag at the end of the authorization exec command but that also didn't work. It only allows me through enable if I use the local enable password on the router. 

Highlighted

Justin,

Justin,

Why do you want to use enable password configured on the radius server? Enable authentication was designed for tacacs but also start using it with radius.

Please check if you see any logs when enable authen fails to log you in? Do we have User-Name="$enab15$ configured on radius?

 

 

Regards,

~JG

Highlighted

So for now I've entered the

So for now I've entered the "aaa authentication enable default none" command. I don't like it but until we get TACACS implemented it will make our life a little easier. 

Highlighted
Beginner

Did you ever get this

Did you ever get this resolved.  I have a similar issue where I have OpenLDAP with a NetworkAdmins group.  This group, I want to have full priv15 and the users should drop into enable mode upon their initial log in.

I have it working to where  the user can authenticate into user mode but then when I enable it sends another request to freeradius with the username "$enab15$" and obviously this fails since there is no user in LDAP with this username.  

I tried entering in the shell in the users file(freeradius) but with no success.  And I do not wnat to have a shared enable password.

There has to be a way to do this.

Highlighted
VIP Mentor

Have you prepared your RADIUS

Have you prepared your RADIUS-server to handle these requests?

For the login, the router sends the request with

NAS-Port-Type=Virtual
Service-Type=Login

and your username. For enable, the router sends

NAS-Port-Type=Virtual
User-Name="$enab15$"
Service-Type=Administrative

And think about using TACACS+ instead of RADIUS for this task (if possible), it's more powerful and flexible.

Highlighted

Hm so how would I prepare a

Hm so how would I prepare a Radius server to handle this request? I do see these in the logs so you're correct. Would this be an authorization policy? I did try creating a new authorization policy granting shell:lv15 access (shell:priv-1v1=15), this didn't work either. Here's my AAA config on the router now: 

aaa authentication login default group RADIUS_GROUP local-case
aaa authorization config-commands
aaa authorization exec default group RADIUS_GROUP local if-authenticated
aaa accounting update periodic 60
aaa accounting exec default start-stop group RADIUS_GROUP
aaa accounting network default start-stop group RADIUS_GROUP
aaa accounting connection default start-stop group RADIUS_GROUP
aaa accounting system default start-stop group RADIUS_GROUP