cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1185
Views
5
Helpful
7
Replies

Auto enable via console port

ronit
Level 1
Level 1

We have our switches and routers configured with aaa login via a RADIUS server on NPS. When we login to the devices using ssh and telnet, we can login using radius credentials and everything works. The user is automatically taken into enable mode.

 

However, when we try to login to these devices via console, the user does not end up auto enabled, needs to type "enable" followed by the enable password. We do not want to give out the enable password. How can we ensure auto enable via console, too?

 

Relevant config below

aaa authentication login default group radius local

aaa authentication login admin local

aaa authentication enable default enable

aaa authorization exec default group radius local

aaa accounting exec default start-stop group radius

!

ip radius source-interface BDI801 vrf CBTC

radius-server source-ports extended

!

radius server RADIUS-1

 address ipv4 10.7.0.13 auth-port 1812 acct-port 1813

 key xxxxxx

!

radius server RADIUS-2

 address ipv4 10.7.0.14 auth-port 1812 acct-port 1813

 key xxxxxx

line vty 0 4

 session-timeout 60

 exec-timeout 15 0

 login authentication default

 history size 50

 transport input telnet ssh

 logging synchronous

!

line vty 5 15

 session-timeout 60

 exec-timeout 15 0

 login authentication default

 history size 50

 transport input telnet ssh

 logging synchronous

!

line console 0

 session-timeout 60

 exec-timeout 15 0

 login authentication default

 history size 50

 logging synchronous

!

7 Replies 7

Hi

   I really dont follow you here. If you are willing to give enable access to the device, then, what is the problem to give them the passwork and let them get into enable mode anyway?

 

But no, as fas as I know, if you log in console mode, you end you need to enter enable. 

Because we give some people admin rights on switches and routers, but privilege level 7 on firewalls. If we give them the enable password, on a firewall one can elevate themselves to privilege level 15 irrespective of what their original privilege level is.

Understood.  Make sense then.

I think you are going to need to review your password scheam for local users.

but if you end with enable then the user can reconfig the device,
enable password it use to protect device from un-authz person to do config.

if you want try BUT this is risky 
under VTY
privilege level <- this may make VTY go directly to enable

ronit
Level 1
Level 1

What I want to know is, if there's a way to do "auto enable" on the console port similar to how it is normally implemented on line vtys.

I think that you need to configure authorization on the console. I believe that you will find this discussion helpful.

https://community.cisco.com/t5/network-access-control/tacacs-console-enable-mode/td-p/1509249?dtid=osscdc000283

HTH

Rick

Thanks, this looks helpful. I will test it out later this week

Review Cisco Networking for a $25 gift card