Hello all,

I authenticate my switches over an ISE acting as radius server.

When I connect with ssh, everything works well. My radius server return priv15 and I am logged directly in privilege 15.

But the weird thing when I try to connect through the console cable, I get authenticate, the radius server return me the priv15 but the switch ask me to put the "enable" command. When I issue this command, I get rejected because the radius server is not able to find the object "$enab15$" that sounds logical.

So do you have any idea why I can't log with the console cable directly in privilege 15 ?

You can find below my configuration:

aaa new-model
aaa group server radius RADIUS-SERVERS
aaa authentication login default group RADIUS-SERVERS local
aaa authentication enable default group RADIUS-SERVERS enable
aaa authentication dot1x default group RADIUS-SERVERS
aaa authorization exec default group RADIUS-SERVERS if-authenticated
aaa authorization network default group RADIUS-SERVERS if-authenticated
aaa accounting send stop-record authentication failure
aaa accounting update newinfo periodic 55
aaa accounting exec default start-stop group RADIUS-SERVERS
aaa accounting connection default start-stop group RADIUS-SERVERS
aaa accounting system default start-stop group RADIUS-SERVERS
no aaa accounting system guarantee-first
aaa session-id common
!
line con 0
 logging synchronous
 escape-character 3
 stopbits 1
line vty 0 4
 logging synchronous
 transport input ssh
 escape-character 3
line vty 5 15
 logging synchronous
 transport input ssh
 escape-character 3
!

Have a nice day,

Alex