01-31-2023 07:52 PM
I have this issue whr the device asks for my username and password when im enabling the device. I have set a local user named Admin 1 and it has a secret password. ive also set "enable password admin1pass " on the devices. However it just asks for the username and password i have set through ssh which is user: Admin3 and pass: admin3pass.
These are the cmds i typed in:
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default group radius local
radius-server host 192.168.0.58 key 123
ip domain name cisco.com
crypto key generate rsa
ip ssh version 2
line vty 0 1
transport input ssh
login authentication default
exit
Solved! Go to Solution.
02-02-2023 07:15 PM
Tnks for all the help. This was the fix:
Change "aaa authentication enable default group radius local" to --> "aaa authentication enable default enable"
01-31-2023 11:45 PM
What you describe is pretty much expected behavior. When you configure aaa new-model the device stops using any line password and begins prompting for a user name and password. If the configuration of the radius server is correct then authentication would be done by the server and if there is some problem accessing the server then authentication would be done for the configured user name and password. I am not clear whether you are authenticating with the server. If in doubt, or to figure out the issue you might run debug for aaa or perhaps debug for radius.
I am a bit surprised at this line "line vty 0 1". It means that ssh is used and telnet is prevented on those lines. But telnet would be allowed on other vty. I would have expected line 0 4 and perhaps line 5 15 depending on the platform.
02-01-2023 02:55 AM
ask for username and password for enable
or
ask for password for enable
which case ?
02-01-2023 03:31 AM
02-01-2023 03:35 AM - edited 02-01-2023 03:51 AM
I will lab check one solution
I will lab to ensure that change the config not effect access to SW/R via console or vty.
please wait my lab
thanks
02-01-2023 07:48 AM - edited 02-01-2023 06:51 PM
aaa authentication enable default group radius local <<- first I dont see local in cisco command reference, please check command
second
R1
!
enable password ciscolocal
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
!
ip dhcp pool mhm
network 100.0.0.0 255.255.255.0
!
username mhm password 0 ciscolocal
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
duplex half
!
tacacs-server host 100.0.0.2 key cisco
!
line vty 0 4
this test
use local username and password for login auth
use enable (local) password for enable
use tacacs username and password for login auth
use enable (tacacs) password for enable
02-01-2023 06:33 PM
Thanks for the clarification of what you want. The configuration that you posted is inconsistent with what you want. You configured this
aaa authentication enable default group radius local
which specifies that authentication to enable mode should be done through the radius server (which needs user name and password) and the locally configured enable password should be used only as a backup if the server is not accessible. If you want to authenticate to enable with the locally configured enable password/secret then change the configuration to this
aaa authentication enable default local
note that I do not recommend this approach. But if you really want to do it this would be how.
02-02-2023 07:15 PM
Tnks for all the help. This was the fix:
Change "aaa authentication enable default group radius local" to --> "aaa authentication enable default enable"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide