Hello @mgollob ,

The "aaa authentication enable" command is used to configure authentication for accessing the enable mode on a Cisco device. By default, if you have not explicitly configured authentication for the enable mode, the device will allow direct access to the enable mode without requiring any additional authentication.

In your current configuration, you have the following authentication configuration:

aaa authentication login default local group RADIUS_AUTH
aaa authorization exec default local group RADIUS_AUTH if-authenticated

This configuration specifies that the login authentication should be performed using the local database first, and if that fails, it should fall back to the RADIUS server specified in the RADIUS_AUTH group.

The "aaa authentication enable" command is not present in your configuration, which means that authentication is not explicitly configured for the enable mode. In this case, the device allows direct access to the enable mode without any additional authentication.

If you want to require authentication for the enable mode as well, you can add the following command:

aaa authentication enable default group RADIUS_AUTH

This configuration would then use the RADIUS server specified in the RADIUS_AUTH group for authentication when accessing the enable mode.

It's possible that there might be additional configuration on the AAA server (such as group settings or permissions) that automatically grants access to the enable mode after successful authentication. You may need to check the configuration on the AAA server to determine if there are any additional settings influencing the behavior you are experiencing.