Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1114
Views
5
Helpful
7
Replies

Auto enable via console port

ronit
Level 1
Level 1

‎06-02-2022 06:56 AM

We have our switches and routers configured with aaa login via a RADIUS server on NPS. When we login to the devices using ssh and telnet, we can login using radius credentials and everything works. The user is automatically taken into enable mode.

 

However, when we try to login to these devices via console, the user does not end up auto enabled, needs to type "enable" followed by the enable password. We do not want to give out the enable password. How can we ensure auto enable via console, too?

 

Relevant config below

aaa authentication login default group radius local

aaa authentication login admin local

aaa authentication enable default enable

aaa authorization exec default group radius local

aaa accounting exec default start-stop group radius

!

ip radius source-interface BDI801 vrf CBTC

radius-server source-ports extended

!

radius server RADIUS-1

 address ipv4 10.7.0.13 auth-port 1812 acct-port 1813

 key xxxxxx

!

radius server RADIUS-2

 address ipv4 10.7.0.14 auth-port 1812 acct-port 1813

 key xxxxxx

line vty 0 4

 session-timeout 60

 exec-timeout 15 0

 login authentication default

 history size 50

 transport input telnet ssh

 logging synchronous

!

line vty 5 15

 session-timeout 60

 exec-timeout 15 0

 login authentication default

 history size 50

 transport input telnet ssh

 logging synchronous

!

line console 0

 session-timeout 60

 exec-timeout 15 0

 login authentication default

 history size 50

 logging synchronous

!

Labels:
0 Helpful
7 Replies 7

Flavio Miranda
VIP
VIP

‎06-02-2022 07:03 AM - edited ‎06-02-2022 07:03 AM

Hi

   I really dont follow you here. If you are willing to give enable access to the device, then, what is the problem to give them the passwork and let them get into enable mode anyway?

 

But no, as fas as I know, if you log in console mode, you end you need to enter enable. 

0 Helpful

ronit
Level 1
Level 1
In response to Flavio Miranda

‎06-02-2022 11:05 PM

Because we give some people admin rights on switches and routers, but privilege level 7 on firewalls. If we give them the enable password, on a firewall one can elevate themselves to privilege level 15 irrespective of what their original privilege level is.

0 Helpful

Flavio Miranda
VIP
VIP
In response to ronit

‎06-03-2022 03:28 AM

Understood.  Make sense then.

I think you are going to need to review your password scheam for local users.

0 Helpful

MHM Cisco World
VIP
VIP

‎06-02-2022 08:42 AM

but if you end with enable then the user can reconfig the device,
enable password it use to protect device from un-authz person to do config.

if you want try BUT this is risky 
under VTY
privilege level <- this may make VTY go directly to enable

0 Helpful

ronit
Level 1
Level 1

‎06-04-2022 02:23 AM

What I want to know is, if there's a way to do "auto enable" on the console port similar to how it is normally implemented on line vtys.

Richard Burts
Hall of Fame
Hall of Fame
In response to ronit

‎06-04-2022 08:55 AM

I think that you need to configure authorization on the console. I believe that you will find this discussion helpful.

https://community.cisco.com/t5/network-access-control/tacacs-console-enable-mode/td-p/1509249?dtid=osscdc000283

HTH

Rick
0 Helpful

ronit
Level 1
Level 1
In response to Richard Burts

‎06-05-2022 06:10 PM

Thanks, this looks helpful. I will test it out later this week

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card