Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
747
Views
0
Helpful
3
Replies

"ip radius source loop0" not working for enable?

pavlosd
Level 2
Level 2

‎04-09-2009 09:10 AM - edited ‎03-10-2019 04:25 PM

Hi All,

We have recently upgraded one of our routers to version 12.2SR.

One of the problems we are facing is that radius authentication is not working correcly for the enable part.

We are using loopback address as a source.

ip radius source-interface Loopback0

while for the user authentication the request from the router is using the loopback address, for the enable is using the physical address!!! we tried to remove and add all the aaa commands but same thing. This is not the case for older version i.e. 12.2SX

Find below the aaa and radius commands.

aaa new-model

aaa authentication login my_radius group radius local

aaa authentication enable default group radius enable

aaa session-id common

no cns aaa enable

aaa authentication login my_radius group radius local

aaa authentication enable default group radius enable

ip radius source-interface Loopback0

radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxx

Labels:
0 Helpful
3 Replies 3

Jagdeep Gambhir
Level 10
Level 10

‎04-09-2009 01:03 PM

It is not a radius source issue.

Enable authentication was actually designed to work with TACACS. In IOS devices when we do "enable" authentication using the Radius protocol, the username sent to Radius Server (ACS), is not the one with which you logged in. It is "$enab15$", if you check the failed logs, I am sure you'll see that username. In case of Radius you would be required to create a user account with the username "$enab15$" and use the password for this account to be able to log into enable privilege mode.

Regards,

~JG

Do rate helpful posts

0 Helpful

pavlosd
Level 2
Level 2
In response to Jagdeep Gambhir

‎04-15-2009 05:08 AM

Hi JG,

we have already defined the "$enab15$" user. As I told you, the problem is that user authentication is using loopback address as a source, while enable is using local interface address. I can confirm this because, we added local address to the radius, till we sort out the problem.

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to pavlosd

‎04-15-2009 08:20 AM

Hi,

It seems we are hitting this bug,

ip radius source-interface ignored during enable authentication

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCsg01035

Regards,

~JG

Do rate helpful posts

0 Helpful
Customers Also Viewed These Support Documents