Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1935
Views
3
Helpful
8
Replies

4507, RADIUS, console logs in but no enable

astroman
Level 1
Level 1

‎10-10-2007 12:22 PM - edited ‎03-05-2019 07:00 PM

I have RADIUS configured and pointing to a Microsoft IAS server. SSH and HTTP works fine using RADIUS. When connecting to the 4507 via console, we can login with RADIUS credentials, but moves into unprivileged mode. When we go into enable mode, the password that we send is invalid. I know that the username being sent is "$enab15$" and that is not recognized by IAS.

I simply want to turn off RADIUS on the console authentication. Any help is appreciated!

See below for relevant config:

**************************

aaa new-model

aaa authentication attempts login 5

aaa authentication login default group radius local-case

aaa authentication enable default group radius enable

aaa authorization exec default group radius if-authenticated

aaa session-id common

ip http authentication aaa login-authentication default

!

radius-server host 192.168.0.147 auth-port 1645 acct-port 1646 key 7 blahblahblah

radius-server source-ports 1645-1646

radius-server timeout 20

!

line con 0

password 7 ohnoyoudont

stopbits 1

**************************

Labels:
0 Helpful
8 Replies 8

Jagdeep Gambhir
Level 10
Level 10

‎10-10-2007 12:33 PM

Astro,

Enable authentication was meant to fucntion with TACACS, and when used with RADIUS it does not perform the same. As a result, the only way for you to get enable authentication to work with RADIUS would be to input the username $enab15$ into your RADIUS server and every user would need to use that username.

So you need to set up a user $enab15$ in IAS server.

Regards,

~JG

Please rate helpful posts

0 Helpful

astroman
Level 1
Level 1
In response to Jagdeep Gambhir

‎10-10-2007 12:41 PM

That defeats the purpose of what I'm trying to do.

I'd like to remove RADIUS auth from the console port entirely. Any suggestions?

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to astroman

‎10-10-2007 12:48 PM

Need to set method list

aaa authentication login console local-case

line console 0

login authentication console

Regards,

~JG

astroman
Level 1
Level 1
In response to Jagdeep Gambhir

‎10-10-2007 12:57 PM

Didn't try that, but setting the privilege level to 15 on the console port resolves my issue.

Any arguments for doing that?

Thanks for your responses...

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to astroman

‎10-10-2007 01:01 PM

That didn't bypass radius, and I guess you wanted that console login should not go to radius.

Regards,

~JG

0 Helpful

astroman
Level 1
Level 1
In response to Jagdeep Gambhir

‎10-10-2007 01:06 PM

Yeah, I'm still authenticating via RADIUS, with LOCAL being the backup, and I'm able to get into enable mode immediately.

Again, thanks for your responses...

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to astroman

‎10-10-2007 01:19 PM

Well your question and end result did not match at all.

You asked " I'd like to remove RADIUS auth from the console port entirely. Any suggestions?"

Radius is still in picture and it will fall back to local incase radius is not reachable.

Anyways glad to know your issue is fixed.

0 Helpful

astroman
Level 1
Level 1
In response to Jagdeep Gambhir

‎10-10-2007 01:37 PM

Alright, alright...you still got your "cookie" rating...

Thanks for your help...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card