Hi,

I'm configuring Role-Based CLI Views on a router for limiting access to users.

My criteria:

- There should be a local user account on the router that has the view 'service' attached to it

- If the router is online and can reach the radius server, people in the correct group are assigned the view 'service'

My configuration:

aaa new-model

enable secret 1234

username service view service secret 1234

!

aaa group server radius my_radius
server-private 10.1.1.1 auth-port 1645 acct-port 1646 timeout 3 retransmit 2 key 0 1234
server-private 10.1.1.2 auth-port 1645 acct-port 1646 timeout 2 retransmit 1 key 0 1234

!

aaa authorization console
aaa authentication login mgmt group my_radius local
aaa authorization exec mgmt group my_radius local

!
line con 0
authorization exec mgmt
logging synchronous
login authentication mgmt
line vty 0 4
authorization exec mgmt
logging synchronous
login authentication mgmt
transport input ssh

The ERROR

Now I want to go configure the cli view 'service'...

# enable view

Password: 1234

*Jun  1 08:00:02.991: AAA/AUTHEN/VIEW (0000000D): Pick method list 'mgmt'
*Jun  1 08:00:02.991: RADIUS/ENCODE(0000000D): ask "Password: "
*Jun  1 08:00:02.991: RADIUS/ENCODE(0000000D): send packet; GET_PASSWORD
*Jun  1 08:00:21.011: RADIUS: Received from id 1645/13 10.1.1.1:1645, Access-Reject, len 20

The Questions

Why does the 'enable view' try to pick a method list when you have to supply the enable secret to access the root view?

Can you change this behaviour to always use the enable secret?

The TEMP Solution

If you're logged on to the router via telnet or SSH, the solution or workaround to this issue is:

aaa authentication login VIEW_CONFG local

!

line vty 0 4

login authentication VIEW_CONFG

Do your configuration of the view and re-configure the line to use the correct (wanted) method of authentication.

________________________________

Thanks so much for the suggestions

/JZN