Thanks for the quick response Rick. I don't have anything specific regarding login in the line configurations.

line con 0
 exec-timeout 30 0
 logging synchronous
 transport preferred none
 escape-character 3
line vty 0 4
 access-class VTY-in in
 exec-timeout 30 0
 logging synchronous
 transport preferred none
 transport input ssh
 escape-character 3
line vty 5 15
 access-class VTY-in in
 exec-timeout 30 0
 logging synchronous
 transport preferred none
 transport input ssh
 escape-character 3

#sh run | i user
username admin secret 8 $8$Ma
#sh run | i ena
enable secret 5 $1$Vkb

 If you want to see the whole config, it will take me a while because I'll have to scrub it and it's really long.

Thanks for posting the configuration of the lines. If the config is long it may not be worth the effort to scrub it. We will see if we can come up with something without seeing the complete config. 

Am I correct in understanding that you are logging in using a username that is authenticated by your 
Radius server (and not the user configured on the device for local authentication)? And am I correct in understanding that when you access using SSH that you login successfully and are placed directly into privilege mode? And when you login on the console the authentication is successful (you use your Radius password) and you are placed into user mode? In user mode does the enable command work? When you enter the enable command do you get a prompt asking for the password?  If you get a prompt, enter the password but do not get into privilege mode is it possible that you do not have the correct enable secret password?

HTH

Rick

No problem. Yes, everything you have stated is correct. When I enter the enable command, I get prompted for the password. I enter the enable password and it fails. I also tried the radius users password and it fails. I have reset the enable password to "test1" and I still failed to enter privileged mode.

Thanks for the clarification. If you enter the enable command, get the prompt, enter the enable password, and it fails then it sounds like you do not have the correct enable password. Would you post the exact syntax of what you type in when you are setting the enable secret to test1?

HTH

Rick

"enable secret test1"

Just FYI,

WS-C2960S-48TS-S   15.0(2)SE10           C2960S-UNIVERSALK9-M

Thanks for the additional information. Yes that syntax should work (some people like to use the optional parameter to specify the type of encryption and I wanted to be sure you were not doing that). When you change it, you just hit enter, is there any type of response or do you just get the prompt? If that is not working then something strange is going on. I would suggest as the next step to debug aaa authentication. Login using SSH, make sure that logging monitor is enabled (and perhaps logging buffered if we might want to look at output after the testing is complete), do terminal monitor, debug aaa authentication, leave the SSH session running so you see the output while you access the console, login, and attempt enable.

HTH

Rick

Correct. No errors. I just get returned to the prompt. And AAA/radius debugging was my next step I was just hoping I was missing something simple.

Only other simple thing I can think of would be to change enable secret to test1, show run and copy the encrypted value of enable secret, then change enable secret to cisco123, show run, compare the encrypted value of enable secret, make sure that it did change.

HTH

Rick

The other simple thing that I can think of is the possibility that SSH might not go to the switch you expect (perhaps far fetched but it did happen to me once). Perhaps do your SSH, change the host name, access the console, login, check the host name.

HTH

Rick