Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17604
Views
15
Helpful
9
Replies

Password Required but None Set (ssh)

Go to solution
Ealey Seto
Level 1
Level 1

‎11-19-2013 07:56 AM - edited ‎03-10-2019 09:06 PM

Hi,

I am stumped...I several 3750x switches (IOS 15.0(2)SE4) configured to authenticate through NPS (radius).  When I ssh into those switches, I can authenticate via Radius successfully.  However, when I type enable, I get this message: password required but none set....password:____.  It will accept my enable password without issues. 

I have 3750g switches and do not encounter this message when typing in my enable password. 

I'm trying to figure out what is causing that message.  This is my configuration for aaa, loging, and line vty:

service password-encryption

aaa new-model

aaa authentication login default group radius local-case

aaa authorization exec default group radius if-authenticated

aaa session-id common

username admin1 privilege 0 password Admin12!@    //changed username & password

enable secret 5 ***************

line vty 0 4

session-timeout 10

logging synchronous

transport preferred none

transport input ssh

transport output none

Thanks,

Ealey

2 people had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎11-19-2013 07:05 PM

Ealey

This is a bit of an odd behavior. I suspect that it has something to do with changes in IOS 15.0.

I think that part of the issue is that you have not provided any aaa authentication commands for access to enable mode. Would you want to control access to enable mode through Radius similar to what you do for user mode? Or would you want to just use the enable password. I suspect that if you put that into the configuration that it might solve this issue. It might look like this if you want to use radius

aaa authentication enable default group radius enable

or it might look like this if you want just the enable password

aaa authentication enable default enable

Give one of these a try and let us know if it helps.

HTH

Rick

HTH

Rick

View solution in original post

Go to solution
bmcginn
Level 3
Level 3
In response to Ealey Seto

‎11-20-2013 05:16 PM

Hi there,

Try adding the enable line in.

eg  aaa authentication enable default group radius enable

Regards,

Brad

View solution in original post

9 Replies 9

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎11-19-2013 07:05 PM

Ealey

This is a bit of an odd behavior. I suspect that it has something to do with changes in IOS 15.0.

I think that part of the issue is that you have not provided any aaa authentication commands for access to enable mode. Would you want to control access to enable mode through Radius similar to what you do for user mode? Or would you want to just use the enable password. I suspect that if you put that into the configuration that it might solve this issue. It might look like this if you want to use radius

aaa authentication enable default group radius enable

or it might look like this if you want just the enable password

aaa authentication enable default enable

Give one of these a try and let us know if it helps.

HTH

Rick

HTH

Rick

Go to solution
Ealey Seto
Level 1
Level 1
In response to Richard Burts

‎11-20-2013 12:27 PM

Rick,

Thanks for the response.  Since I want the authentication to start with Radius then local, I tried your AAA enable statement to this:

aaa authentication login default group radius local-case enable

No luck.  I'm still getting that statement.  However, I am going to revert back to an eariler IOS to see if it is a quirk with the 15.0(2)SE4. 

I'll let you know if it works. 

Thanks,

Ealey

0 Helpful

Go to solution
bmcginn
Level 3
Level 3
In response to Ealey Seto

‎11-20-2013 05:16 PM

Hi there,

Try adding the enable line in.

eg  aaa authentication enable default group radius enable

Regards,

Brad

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to bmcginn

‎11-21-2013 07:46 AM

Ealey

Thank you for letting us know that you have verified that the behavior is related to the version of code that is running. That is helpful to know.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Ealey Seto
Level 1
Level 1
In response to bmcginn

‎11-22-2013 11:27 AM

Brad,

I modified it a bit since we don't use radius for our enable. 

aaa authentication enable default enable

Strange that we have to spell out where our enable password is coming from. 

Thanks,

Ealey

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Ealey Seto

‎11-22-2013 02:14 PM

Ealey

I wonder if it has something to do with the fact that you are using a type 5 enable secret. Early versions of 15.0, such as the one that you were running, were going to deprecate the type 5 enable secret in favor of a type 4 enable secret. Cisco has since then changed their position and the type 5 enable secret is still the standard. But I wonder if in that early version of code that was running if the code was not happy about using a type 5 enable secret.

Or maybe it was just a buggy behavior that got corrected. In any case now you have it doing the behavior that you wanted. And that is a good thing

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
richard_artes
Level 1
Level 1
In response to Richard Burts

‎03-13-2019 03:03 AM

aaa authentication enable default enable
worked for me. Thanks!
0 Helpful

Go to solution
Saurav Lodh
Level 7
Level 7

‎11-20-2013 08:57 PM

Pls set the privilege level in the local user database using the following method.

username cisco password cisco

username cisco privilege 15

0 Helpful

Go to solution
Ealey Seto
Level 1
Level 1
In response to Saurav Lodh

‎11-21-2013 06:03 AM

My local username is set at 0. 

Regardless, the message appears with Radius or local login authentication.

Thanks,

Ealey

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents