06-02-2022 06:56 AM
We have our switches and routers configured with aaa login via a RADIUS server on NPS. When we login to the devices using ssh and telnet, we can login using radius credentials and everything works. The user is automatically taken into enable mode.
However, when we try to login to these devices via console, the user does not end up auto enabled, needs to type "enable" followed by the enable password. We do not want to give out the enable password. How can we ensure auto enable via console, too?
Relevant config below
aaa authentication login default group radius local
aaa authentication login admin local
aaa authentication enable default enable
aaa authorization exec default group radius local
aaa accounting exec default start-stop group radius
!
ip radius source-interface BDI801 vrf CBTC
radius-server source-ports extended
!
radius server RADIUS-1
address ipv4 10.7.0.13 auth-port 1812 acct-port 1813
key xxxxxx
!
radius server RADIUS-2
address ipv4 10.7.0.14 auth-port 1812 acct-port 1813
key xxxxxx
!
line vty 0 4
session-timeout 60
exec-timeout 15 0
login authentication default
history size 50
transport input telnet ssh
logging synchronous
!
line vty 5 15
session-timeout 60
exec-timeout 15 0
login authentication default
history size 50
transport input telnet ssh
logging synchronous
!
line console 0
session-timeout 60
exec-timeout 15 0
login authentication default
history size 50
logging synchronous
!
06-02-2022 07:03 AM - edited 06-02-2022 07:03 AM
Hi
I really dont follow you here. If you are willing to give enable access to the device, then, what is the problem to give them the passwork and let them get into enable mode anyway?
But no, as fas as I know, if you log in console mode, you end you need to enter enable.
06-02-2022 11:05 PM
Because we give some people admin rights on switches and routers, but privilege level 7 on firewalls. If we give them the enable password, on a firewall one can elevate themselves to privilege level 15 irrespective of what their original privilege level is.
06-03-2022 03:28 AM
Understood. Make sense then.
I think you are going to need to review your password scheam for local users.
06-02-2022 08:42 AM
but if you end with enable then the user can reconfig the device,
enable password it use to protect device from un-authz person to do config.
if you want try BUT this is risky
under VTY
privilege level <- this may make VTY go directly to enable
06-04-2022 02:23 AM
What I want to know is, if there's a way to do "auto enable" on the console port similar to how it is normally implemented on line vtys.
06-04-2022 08:55 AM
I think that you need to configure authorization on the console. I believe that you will find this discussion helpful.
06-05-2022 06:10 PM
Thanks, this looks helpful. I will test it out later this week
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide