cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1423
Views
35
Helpful
7
Replies

Asking for USERNAME and PASSWORD upon enabling when using AAA.

Justien
Level 1
Level 1

I have this issue whr the device asks for my username and password when im enabling the device. I have set a local user named Admin 1 and it has a secret password. ive also set  "enable password admin1pass " on the devices. However it just asks for the username and password i have set through ssh which is user:  Admin3 and pass: admin3pass. 

These are the cmds i typed  in:

aaa new-model
aaa authentication login default group radius local
aaa authentication enable default group radius local
radius-server host 192.168.0.58 key 123
ip domain name cisco.com
crypto key generate rsa
ip ssh version 2
line vty 0 1
transport input ssh
login authentication default
exit 

1 Accepted Solution

Accepted Solutions

Justien
Level 1
Level 1

Tnks for all the help. This was the fix:

Change "aaa authentication enable default group radius local" to  --> "aaa authentication enable default enable"

 

View solution in original post

7 Replies 7

Richard Burts
Hall of Fame
Hall of Fame

What you describe is pretty much expected behavior. When you configure aaa new-model the device stops using any line password and begins prompting for a user name and password. If the configuration of the radius server is correct then authentication would be done by the server and if there is some problem accessing the server then authentication would be done for the configured user name and password. I am not clear whether you are authenticating with the server. If in doubt, or to figure out the issue you might run debug for aaa or perhaps debug for radius.

I am a bit surprised at this line "line vty 0 1". It means that ssh is used and telnet is prevented on those lines. But telnet would be allowed on other vty. I would have expected line 0 4 and perhaps line 5 15 depending on the platform.

HTH

Rick

ask for username and password for enable 
or 
ask for password for enable 

which case ?

Right now when I want to enable. It asks for the username and password again. But I want it to just ask for the local enable password I set . Which is “enablepass”

I will lab check one solution 
I will lab to ensure that change the config not effect access to SW/R via console or vty. 
please wait my lab 
thanks 

aaa authentication enable default group radius local <<- first I dont see local in cisco command reference, please check command  
second 

R1
!
enable password ciscolocal
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
!
ip dhcp pool mhm
network 100.0.0.0 255.255.255.0
!
username mhm password 0 ciscolocal
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
duplex half
!
tacacs-server host 100.0.0.2 key cisco
!
line vty 0 4

 

this test
use local username and password for login auth 
use enable (local) password for enable 

Screenshot (261).png

use tacacs username and password for login auth 
use enable (tacacs) password for enable 

Screenshot (262).png



Thanks for the clarification of what you want. The configuration that you posted is inconsistent with what you want. You configured this

aaa authentication enable default group radius local

which specifies that authentication to enable mode should be done through the radius server (which needs user name and password) and the locally configured enable password should be used only as a backup if the server is not accessible. If you want to authenticate to enable with the locally configured enable password/secret then change the configuration to this

aaa authentication enable default local

note that I do not recommend this approach. But if you really want to do it this would be how.

HTH

Rick

Justien
Level 1
Level 1

Tnks for all the help. This was the fix:

Change "aaa authentication enable default group radius local" to  --> "aaa authentication enable default enable"

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco