10-10-2007 12:22 PM - edited 03-05-2019 07:00 PM
I have RADIUS configured and pointing to a Microsoft IAS server. SSH and HTTP works fine using RADIUS. When connecting to the 4507 via console, we can login with RADIUS credentials, but moves into unprivileged mode. When we go into enable mode, the password that we send is invalid. I know that the username being sent is "$enab15$" and that is not recognized by IAS.
I simply want to turn off RADIUS on the console authentication. Any help is appreciated!
See below for relevant config:
**************************
aaa new-model
aaa authentication attempts login 5
aaa authentication login default group radius local-case
aaa authentication enable default group radius enable
aaa authorization exec default group radius if-authenticated
aaa session-id common
ip http authentication aaa login-authentication default
!
radius-server host 192.168.0.147 auth-port 1645 acct-port 1646 key 7 blahblahblah
radius-server source-ports 1645-1646
radius-server timeout 20
!
line con 0
password 7 ohnoyoudont
stopbits 1
**************************
10-10-2007 12:33 PM
Astro,
Enable authentication was meant to fucntion with TACACS, and when used with RADIUS it does not perform the same. As a result, the only way for you to get enable authentication to work with RADIUS would be to input the username $enab15$ into your RADIUS server and every user would need to use that username.
So you need to set up a user $enab15$ in IAS server.
Regards,
~JG
Please rate helpful posts
10-10-2007 12:41 PM
That defeats the purpose of what I'm trying to do.
I'd like to remove RADIUS auth from the console port entirely. Any suggestions?
10-10-2007 12:48 PM
Need to set method list
aaa authentication login console local-case
line console 0
login authentication console
Regards,
~JG
10-10-2007 12:57 PM
Didn't try that, but setting the privilege level to 15 on the console port resolves my issue.
Any arguments for doing that?
Thanks for your responses...
10-10-2007 01:01 PM
That didn't bypass radius, and I guess you wanted that console login should not go to radius.
Regards,
~JG
10-10-2007 01:06 PM
Yeah, I'm still authenticating via RADIUS, with LOCAL being the backup, and I'm able to get into enable mode immediately.
Again, thanks for your responses...
10-10-2007 01:19 PM
Well your question and end result did not match at all.
You asked " I'd like to remove RADIUS auth from the console port entirely. Any suggestions?"
Radius is still in picture and it will fall back to local incase radius is not reachable.
Anyways glad to know your issue is fixed.
10-10-2007 01:37 PM
Alright, alright...you still got your "cookie" rating...
Thanks for your help...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide