Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
872
Views
0
Helpful
1
Replies

Why do my firewalls only use the domain username and password for login and enable passwords, not a different enable password like my switches do? The RADIUS config looks the same...

chris
Level 1
Level 1

‎11-24-2010 05:07 AM - edited ‎02-21-2020 04:10 AM

Issue:

Cisco  firewalls require only one level of password i.e. the domain username  and password are used for both logging in as well as reaching global  configuration mode.

Background:

We  have multiple Cisco network devices set up which authenticate to our  Windows domain controller using NPS (Windows 2008 R2). The switches we  have set up all function exactly as we would hope as they require your  domain username and password to login to the device. They then require a  separate password when you use the enable command, this is stored in  Active Directory:

Switches:

Username:domain-username

Password:domain-password

SWITCH>enable

Password:enable-password-in-Active-Directory

SWITCH#

Firewalls (as they currently are):

Username:domain-username

Password:domain-password

FIREWALL>enable

Password:domain-password

FIREWALL #

With  the firewalls however, they require your domain username and password  first, and then your domain password again when using the enable command. I want the firewalls to use the enable level password that the  switches currently use instead of the domain password again. The  current configuration look like the following:

Current switch configuration:

aaa new-model

aaa authentication login default group radius local

aaa authentication enable default group radius enable

aaa authorization exec default group radius local

aaa session-id common

radius-server host 192.168.0.1 auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server key 7 1234abcd

Current firewall configuration:

aaa-server DC01 protocol radius

aaa-server DC01 (outside) host 192.168.0.1

aaa authentication ssh console DC01 LOCAL

aaa authentication enable console DC01 LOCAL

key 1234abcd

Any help would be great, thanks!

0 Helpful
1 Reply 1

fadlouni
Level 1
Level 1

‎12-27-2010 05:24 AM

Hi.

Unfortunately the aaa subsystems on the routers/switches is different from the ones on the ASA/FWSM/PIX.

so there is no way to change the behaviour of the firewalls to match that of your switches.

Best Regards,

Fadi.

Does this answer your question? if yes please mark it as resolved.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card