11-01-2015 10:36 PM - edited 03-10-2019 11:12 PM
I have the below radius configuration set on my Cisco 2921 running 15.2(4)M6. I'm having issues with setting the enable password to also use the radius group. For example, If I add "aaa authentication enable default group RADIUS_GROUP enable" to the below config I can't get into the router, I keep getting prompted for an enable password. It doesn't take the locally configured enable password and it doesn't take my AAA password. What am I missing here?
aaa authentication login default group RADIUS_GROUP local-case
aaa accounting update periodic 60
aaa accounting exec default start-stop group RADIUS_GROUP
aaa accounting network default start-stop group RADIUS_GROUP
aaa accounting connection default start-stop group RADIUS_GROUP
aaa accounting system default start-stop group RADIUS_GROUP
11-01-2015 11:56 PM
Hi Justin,
It looks like you're missing an authZ statement:
!
aaa authorization exec default group RADIUS_GROUP local
!
cheers,
Seb.
11-02-2015 07:53 AM
I added that command and there's no difference, I'm still prompted for the enable password. I also tried putting the "if-authenticated" flag at the end of the authorization exec command but that also didn't work. It only allows me through enable if I use the local enable password on the router.
11-02-2015 12:55 PM
Justin,
Why do you want to use enable password configured on the radius server? Enable authentication was designed for tacacs but also start using it with radius.
Please check if you see any logs when enable authen fails to log you in? Do we have User-Name="$enab15$ configured on radius?
Regards,
~JG
11-04-2015 06:41 PM
So for now I've entered the "aaa authentication enable default none" command. I don't like it but until we get TACACS implemented it will make our life a little easier.
03-31-2016 07:57 AM
Did you ever get this resolved. I have a similar issue where I have OpenLDAP with a NetworkAdmins group. This group, I want to have full priv15 and the users should drop into enable mode upon their initial log in.
I have it working to where the user can authenticate into user mode but then when I enable it sends another request to freeradius with the username "$enab15$" and obviously this fails since there is no user in LDAP with this username.
I tried entering in the shell in the users file(freeradius) but with no success. And I do not wnat to have a shared enable password.
There has to be a way to do this.
11-02-2015 01:17 AM
Have you prepared your RADIUS-server to handle these requests?
For the login, the router sends the request with
NAS-Port-Type=Virtual
Service-Type=Login
and your username. For enable, the router sends
NAS-Port-Type=Virtual
User-Name="$enab15$"
Service-Type=Administrative
And think about using TACACS+ instead of RADIUS for this task (if possible), it's more powerful and flexible.
11-02-2015 07:56 AM
Hm so how would I prepare a Radius server to handle this request? I do see these in the logs so you're correct. Would this be an authorization policy? I did try creating a new authorization policy granting shell:lv15 access (shell:priv-1v1=15), this didn't work either. Here's my AAA config on the router now:
aaa authentication login default group RADIUS_GROUP local-case
aaa authorization config-commands
aaa authorization exec default group RADIUS_GROUP local if-authenticated
aaa accounting update periodic 60
aaa accounting exec default start-stop group RADIUS_GROUP
aaa accounting network default start-stop group RADIUS_GROUP
aaa accounting connection default start-stop group RADIUS_GROUP
aaa accounting system default start-stop group RADIUS_GROUP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide