06-05-2006 05:20 AM - edited 03-10-2019 02:37 PM
Hi Everyone,
I have my RADIUS authentication working for login passwords but not for the enable password. My config is below;
aaa new-model
aaa authentication login default group radius local
aaa accounting network default start-stop group radius
When I add the command;
aaa authentication enable default group radius enable
I would expect it to allow me to enter my RADIUS pw for the enable one to, but it doesnt. Nor does it allow me to enter the locally configured one?
Any help would be great,
Thanks,
Dan
Solved! Go to Solution.
06-06-2006 01:33 AM
Hi
Typically RADIUS is not used for device management - because most RADIUS servers do NOT offer proper authorization.
Even Cisco ACS doesnt do much in the way of authorization for RADIUS.
IAS will not have any concept of IOS enable. Also IAS will want to be doing MSCHAP by default. Enable authentication is basically PAP. So you need IAS to authenticate using plain text which pretty much rules out using AD as a back end unless you store user passwords in "reversably encrypted" format inside AD.
Darran
06-05-2006 09:16 AM
Dan
The syntax for authenticating enable looks ok. So if authentication for user level passwords is working I would expect authentication for enable to work also.
Are you sure that the ID you are logging in with is configured in radius to allow enable access?
If you are sure that the user is configured correctly in radius but is not being authenticated by radius then perhaps running debug radius authentication and posting the output of the attempt to authenticate will help us to find the problem.
HTH
Rick
06-06-2006 12:22 AM
Thanks for your reply Rick,
The debug output is below;
L2-SW01>
00:03:02: RADIUS: Authenticating using $enab15$
00:03:02: RADIUS: ustruct sharecount=1
00:03:02: RADIUS: Initial Transmit tty0 id 3 x.x.x.x:1812, Access-Request,
len 72
00:03:02: Attribute 4 6 AC14024F
00:03:02: Attribute 5 6 00000000
00:03:02: Attribute 61 6 00000000
00:03:02: Attribute 1 10 24656E61
00:03:02: Attribute 2 18 524FB069
00:03:02: Attribute 6 6 00000006
00:03:02: RADIUS: Received from id 3
x.x.x.x:1812, Access-Reject, len 20
00:03:02: RADIUS: saved authorization data for user E49424 at 93C6DC
L2-SW01>
L2-SW01>
I am using IAS for RADIUS authentication and I cannot find any option to say "allow enable access".
Any ideas?
Cheers,
Dan
06-06-2006 01:33 AM
Hi
Typically RADIUS is not used for device management - because most RADIUS servers do NOT offer proper authorization.
Even Cisco ACS doesnt do much in the way of authorization for RADIUS.
IAS will not have any concept of IOS enable. Also IAS will want to be doing MSCHAP by default. Enable authentication is basically PAP. So you need IAS to authenticate using plain text which pretty much rules out using AD as a back end unless you store user passwords in "reversably encrypted" format inside AD.
Darran
06-06-2006 02:17 AM
Thanks Darran,
I have got all encryption methods checked within IAS including plain text.
What would you recommend using instead, TACACS?
Thanks,
Dan
06-08-2006 01:31 PM
Yes, I would use TACACS+ with ACS.
You then dont have to do enable at all. You can configure which ACS groups can use which IOS commands - ie centrally.
Every command issued on the device is then authorised individually. This offers a much finer granularity of control
Darran
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide