11-26-2004 09:16 AM - edited 03-05-2019 11:20 AM
I have a strange problem with all catalysts (2948g's, 5500's) on our network. We just moved to an ACS for RADIUS authentication to these switches so I used Ciscoworks to push out the config changes to the switches (all it did was to change the IP address of the RADIUS server on the configs).
Ever since, when I log into one of the switches I'm placed directly into enable mode even though the switches are configured to ask for the local password first.
Here's the output for a show authentication:
Login Authentication: Console Session Telnet Session Http Session
--------------------- ---------------- ---------------- ----------------
tacacs disabled disabled disabled
radius enabled(primary) enabled(primary) disabled
kerberos disabled disabled disabled
local enabled enabled enabled(primary)
attempt limit 3 3 -
lockout timeout (sec) disabled disabled -
Enable Authentication: Console Session Telnet Session Http Session
---------------------- ----------------- ---------------- ----------------
tacacs disabled disabled disabled
radius disabled disabled disabled
kerberos disabled disabled disabled
local enabled(primary) enabled(primary) enabled(primary)
attempt limit 3 3 -
lockout timeout (sec) disabled disabled -
Any ideas? I have the enablepass configured....
11-27-2004 12:56 PM
Not very familliar with ACS , but.. radius is disabled under ' enable authentication '. This tells me that the radius server is not consulted when you enter enable mode. Try enabling that in ACS.
11-29-2004 11:43 AM
Are the log in and enable password the same? Might sound like a stupid question but I've seen scenarios where this was the case.
12-02-2004 08:29 AM
No, they are different. I've had to open a case with TAC on this. It's strange.....when I change the RADIUS config to point back to the old Microsoft authentication server it works properly but change it again to point to the ACS and boom...straight to enable.
12-04-2004 07:47 PM
Does it have the same behavior when different IDs are used to login or is it just happening with your ID?
You might want to check how the IDs are defined in radius and what privilege level is associated with them.
It might also help if you could post the aaa and radius parts of your config.
HTH
Rick
12-17-2004 07:51 AM
Turns out this is normal behavior in that Cisco did not write exec authorization into the CATOS. To get around not having exec authorization you have to enable service-type as 'administrative' on the ACS which results in the straight-to-enable scenario.
Workaround is to use tacacs.
Thanks for all your suggestions though.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide