cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
452
Views
0
Helpful
5
Replies
Highlighted
Beginner

Catalyst login issue

I have a strange problem with all catalysts (2948g's, 5500's) on our network. We just moved to an ACS for RADIUS authentication to these switches so I used Ciscoworks to push out the config changes to the switches (all it did was to change the IP address of the RADIUS server on the configs).

Ever since, when I log into one of the switches I'm placed directly into enable mode even though the switches are configured to ask for the local password first.

Here's the output for a show authentication:

Login Authentication: Console Session Telnet Session Http Session

--------------------- ---------------- ---------------- ----------------

tacacs disabled disabled disabled

radius enabled(primary) enabled(primary) disabled

kerberos disabled disabled disabled

local enabled enabled enabled(primary)

attempt limit 3 3 -

lockout timeout (sec) disabled disabled -

Enable Authentication: Console Session Telnet Session Http Session

---------------------- ----------------- ---------------- ----------------

tacacs disabled disabled disabled

radius disabled disabled disabled

kerberos disabled disabled disabled

local enabled(primary) enabled(primary) enabled(primary)

attempt limit 3 3 -

lockout timeout (sec) disabled disabled -

Any ideas? I have the enablepass configured....

5 REPLIES 5
Highlighted
Beginner

Re: Catalyst login issue

Not very familliar with ACS , but.. radius is disabled under ' enable authentication '. This tells me that the radius server is not consulted when you enter enable mode. Try enabling that in ACS.

Highlighted
Beginner

Re: Catalyst login issue

Are the log in and enable password the same? Might sound like a stupid question but I've seen scenarios where this was the case.

Highlighted
Beginner

Re: Catalyst login issue

No, they are different. I've had to open a case with TAC on this. It's strange.....when I change the RADIUS config to point back to the old Microsoft authentication server it works properly but change it again to point to the ACS and boom...straight to enable.

Highlighted
Hall of Fame Guru

Re: Catalyst login issue

Does it have the same behavior when different IDs are used to login or is it just happening with your ID?

You might want to check how the IDs are defined in radius and what privilege level is associated with them.

It might also help if you could post the aaa and radius parts of your config.

HTH

Rick

HTH

Rick
Highlighted
Beginner

Re: Catalyst login issue

Turns out this is normal behavior in that Cisco did not write exec authorization into the CATOS. To get around not having exec authorization you have to enable service-type as 'administrative' on the ACS which results in the straight-to-enable scenario.

Workaround is to use tacacs.

Thanks for all your suggestions though.

Content for Community-Ad