RSA Security Server w/ Radius and AAA authentication

rajeev.gupta · ‎01-10-2003

I have RSA Security Server 5.0... with Radius enabled. I want to setup all my Cisco routers to prompt me for username and password for anyone who tries to telnet in or consol in. Most of my routers are 2600 with IOS 12.2(8)T4

I have been able to get it to prompt me for username/password at telnet and consol. And it works with RSA server. With the following config:

aaa new-model

radius-server host 123.45.67.89 key cisco

aaa group server radius loginrad

server 123.45.67.89

aaa authentication login default group loginrad

When I try to set security check on enable it does not work. When I issue the command "enable" it just prompts me for password only, and not the username. When I input my PIN+(# from token), it sends $enab15$ as username and my password to RSA server.

I have two question:

1. How do I configure my router or RSA server so it prompts me for username or have the Router or RSA server remembers which user I have logged in as?

2. I also want to limit which users can go into "enable" mode. What I mean is I don't want all of my IT staff who have RSA securID tokens to be able to enter "Enable mode", but I want them to be able to telnet in and be able to do simple commands like ping, traceroute.....

Thanks for any and all the help.

-Rajeev

tepatel · ‎01-10-2003

No..There is no way to have NAS/router prompt for username and password for "enable" authentication. It will only prompt for password. The username is fixed which is $enable15$ for enable authentication.

Since only password is required to get access to enable mode, you can just make is privet so that users can't get in the enable mode. OR you can set privilege level commands to restrict the access to certain commands only.

Pl. visit following for more

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfpass.htm