08-14-2018 12:53 PM - edited 03-03-2019 08:52 AM
I have aaa setup to use radius on my switches. The radius server sends an AV-pair for priv-lvl=15. SSH works fine. HTTPS works fine (I have one SMB SG300 and the CLI is too painful to use.) When I console in, I can authenticate the user but, it defaults to privilege level 1. I try to enable using both the enable password and/or the user password and neither will work. What am I missing? I'd prefer not to use a local account for console access unless the radius servers are unavailable.
#sh run aaa
!
aaa authentication login default group ADAAA local
aaa authorization exec default group ADAAA if-authenticated
aaa accounting exec default start-stop group ADAAA
aaa accounting system default start-stop group ADAAA
!
aaa group server radius ADAAA
server-private 192.168.X.X auth-port 1812 acct-port 1813 key 7 blahblahblah
server-private 172.16.X.X auth-port 1812 acct-port 1813 key 7 blahblahblah
server-private 172.16.X.X auth-port 1812 acct-port 1813 key 7 blahblahblah
!
!
aaa new-model
aaa session-id common
!
!
#sh run | i aaa
aaa new-model
aaa group server radius ADAAA
aaa authentication login default group ADAAA local
aaa authorization exec default group ADAAA if-authenticated
aaa accounting exec default start-stop group ADAAA
aaa accounting system default start-stop group ADAAA
aaa session-id common
08-14-2018 01:33 PM
Based on the little bit of config that you posted I would expect the enable password to get you into privilege mode - assuming that the enable password is configured. Perhaps if you post a more complete config (especially including all the line configuration) we might see something to explain the issue.
HTH
Rick
08-14-2018 01:52 PM - edited 08-14-2018 01:52 PM
Thanks for the quick response Rick. I don't have anything specific regarding login in the line configurations.
line con 0
exec-timeout 30 0
logging synchronous
transport preferred none
escape-character 3
line vty 0 4
access-class VTY-in in
exec-timeout 30 0
logging synchronous
transport preferred none
transport input ssh
escape-character 3
line vty 5 15
access-class VTY-in in
exec-timeout 30 0
logging synchronous
transport preferred none
transport input ssh
escape-character 3
#sh run | i user
username admin secret 8 $8$Ma
#sh run | i ena
enable secret 5 $1$Vkb
If you want to see the whole config, it will take me a while because I'll have to scrub it and it's really long.
08-14-2018 02:21 PM
Thanks for posting the configuration of the lines. If the config is long it may not be worth the effort to scrub it. We will see if we can come up with something without seeing the complete config.
Am I correct in understanding that you are logging in using a username that is authenticated by your
Radius server (and not the user configured on the device for local authentication)? And am I correct in understanding that when you access using SSH that you login successfully and are placed directly into privilege mode? And when you login on the console the authentication is successful (you use your Radius password) and you are placed into user mode? In user mode does the enable command work? When you enter the enable command do you get a prompt asking for the password? If you get a prompt, enter the password but do not get into privilege mode is it possible that you do not have the correct enable secret password?
HTH
Rick
08-14-2018 02:38 PM
No problem. Yes, everything you have stated is correct. When I enter the enable command, I get prompted for the password. I enter the enable password and it fails. I also tried the radius users password and it fails. I have reset the enable password to "test1" and I still failed to enter privileged mode.
08-14-2018 02:44 PM
Thanks for the clarification. If you enter the enable command, get the prompt, enter the enable password, and it fails then it sounds like you do not have the correct enable password. Would you post the exact syntax of what you type in when you are setting the enable secret to test1?
HTH
Rick
08-14-2018 02:56 PM
"enable secret test1"
Just FYI,
WS-C2960S-48TS-S 15.0(2)SE10 C2960S-UNIVERSALK9-M
08-14-2018 03:12 PM
Thanks for the additional information. Yes that syntax should work (some people like to use the optional parameter to specify the type of encryption and I wanted to be sure you were not doing that). When you change it, you just hit enter, is there any type of response or do you just get the prompt? If that is not working then something strange is going on. I would suggest as the next step to debug aaa authentication. Login using SSH, make sure that logging monitor is enabled (and perhaps logging buffered if we might want to look at output after the testing is complete), do terminal monitor, debug aaa authentication, leave the SSH session running so you see the output while you access the console, login, and attempt enable.
HTH
Rick
08-14-2018 03:24 PM
Correct. No errors. I just get returned to the prompt. And AAA/radius debugging was my next step I was just hoping I was missing something simple.
08-14-2018 03:30 PM
Only other simple thing I can think of would be to change enable secret to test1, show run and copy the encrypted value of enable secret, then change enable secret to cisco123, show run, compare the encrypted value of enable secret, make sure that it did change.
HTH
Rick
08-14-2018 03:41 PM
The other simple thing that I can think of is the possibility that SSH might not go to the switch you expect (perhaps far fetched but it did happen to me once). Perhaps do your SSH, change the host name, access the console, login, check the host name.
HTH
Rick
08-15-2018 12:04 AM
Hello
try amending the username privilege level.
aaa authorization exec default group ADAAA local
username admin priv 15 secret $8$Ma
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide