cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2846
Views
4
Helpful
5
Replies

RADIUS Authentication for Enable PW

daniel.bowen
Level 1
Level 1

Hi Everyone,

I have my RADIUS authentication working for login passwords but not for the enable password. My config is below;

aaa new-model

aaa authentication login default group radius local

aaa accounting network default start-stop group radius

When I add the command;

aaa authentication enable default group radius enable

I would expect it to allow me to enter my RADIUS pw for the enable one to, but it doesnt. Nor does it allow me to enter the locally configured one?

Any help would be great,

Thanks,

Dan

1 Accepted Solution

Accepted Solutions

Hi

Typically RADIUS is not used for device management - because most RADIUS servers do NOT offer proper authorization.

Even Cisco ACS doesnt do much in the way of authorization for RADIUS.

IAS will not have any concept of IOS enable. Also IAS will want to be doing MSCHAP by default. Enable authentication is basically PAP. So you need IAS to authenticate using plain text which pretty much rules out using AD as a back end unless you store user passwords in "reversably encrypted" format inside AD.

Darran

View solution in original post

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

Dan

The syntax for authenticating enable looks ok. So if authentication for user level passwords is working I would expect authentication for enable to work also.

Are you sure that the ID you are logging in with is configured in radius to allow enable access?

If you are sure that the user is configured correctly in radius but is not being authenticated by radius then perhaps running debug radius authentication and posting the output of the attempt to authenticate will help us to find the problem.

HTH

Rick

HTH

Rick

Thanks for your reply Rick,

The debug output is below;

L2-SW01>

00:03:02: RADIUS: Authenticating using $enab15$

00:03:02: RADIUS: ustruct sharecount=1

00:03:02: RADIUS: Initial Transmit tty0 id 3 x.x.x.x:1812, Access-Request,

len 72

00:03:02: Attribute 4 6 AC14024F

00:03:02: Attribute 5 6 00000000

00:03:02: Attribute 61 6 00000000

00:03:02: Attribute 1 10 24656E61

00:03:02: Attribute 2 18 524FB069

00:03:02: Attribute 6 6 00000006

00:03:02: RADIUS: Received from id 3

x.x.x.x:1812, Access-Reject, len 20

00:03:02: RADIUS: saved authorization data for user E49424 at 93C6DC

L2-SW01>

L2-SW01>

I am using IAS for RADIUS authentication and I cannot find any option to say "allow enable access".

Any ideas?

Cheers,

Dan

Hi

Typically RADIUS is not used for device management - because most RADIUS servers do NOT offer proper authorization.

Even Cisco ACS doesnt do much in the way of authorization for RADIUS.

IAS will not have any concept of IOS enable. Also IAS will want to be doing MSCHAP by default. Enable authentication is basically PAP. So you need IAS to authenticate using plain text which pretty much rules out using AD as a back end unless you store user passwords in "reversably encrypted" format inside AD.

Darran

Thanks Darran,

I have got all encryption methods checked within IAS including plain text.

What would you recommend using instead, TACACS?

Thanks,

Dan

Yes, I would use TACACS+ with ACS.

You then dont have to do enable at all. You can configure which ACS groups can use which IOS commands - ie centrally.

Every command issued on the device is then authorised individually. This offers a much finer granularity of control

Darran