4507, RADIUS, console logs in but no enable

Unanswered Question
Oct 10th, 2007
User Badges:

I have RADIUS configured and pointing to a Microsoft IAS server. SSH and HTTP works fine using RADIUS. When connecting to the 4507 via console, we can login with RADIUS credentials, but moves into unprivileged mode. When we go into enable mode, the password that we send is invalid. I know that the username being sent is "$enab15$" and that is not recognized by IAS.


I simply want to turn off RADIUS on the console authentication. Any help is appreciated!


See below for relevant config:

**************************

aaa new-model

aaa authentication attempts login 5

aaa authentication login default group radius local-case

aaa authentication enable default group radius enable

aaa authorization exec default group radius if-authenticated

aaa session-id common

ip http authentication aaa login-authentication default

!

radius-server host 192.168.0.147 auth-port 1645 acct-port 1646 key 7 blahblahblah

radius-server source-ports 1645-1646

radius-server timeout 20

!

line con 0

password 7 ohnoyoudont

stopbits 1

**************************


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1.5 (2 ratings)
Loading.
Jagdeep Gambhir Wed, 10/10/2007 - 12:33
User Badges:
  • Red, 2250 points or more

Astro,

Enable authentication was meant to fucntion with TACACS, and when used with RADIUS it does not perform the same. As a result, the only way for you to get enable authentication to work with RADIUS would be to input the username $enab15$ into your RADIUS server and every user would need to use that username.


So you need to set up a user $enab15$ in IAS server.



Regards,

~JG


Please rate helpful posts

astroman Wed, 10/10/2007 - 12:41
User Badges:

That defeats the purpose of what I'm trying to do.


I'd like to remove RADIUS auth from the console port entirely. Any suggestions?



Jagdeep Gambhir Wed, 10/10/2007 - 12:48
User Badges:
  • Red, 2250 points or more

Need to set method list


aaa authentication login console local-case


line console 0

login authentication console



Regards,

~JG

astroman Wed, 10/10/2007 - 12:57
User Badges:

Didn't try that, but setting the privilege level to 15 on the console port resolves my issue.


Any arguments for doing that?


Thanks for your responses...

Jagdeep Gambhir Wed, 10/10/2007 - 13:01
User Badges:
  • Red, 2250 points or more

That didn't bypass radius, and I guess you wanted that console login should not go to radius.



Regards,

~JG

astroman Wed, 10/10/2007 - 13:06
User Badges:

Yeah, I'm still authenticating via RADIUS, with LOCAL being the backup, and I'm able to get into enable mode immediately.


Again, thanks for your responses...

Jagdeep Gambhir Wed, 10/10/2007 - 13:19
User Badges:
  • Red, 2250 points or more

Well your question and end result did not match at all.


You asked " I'd like to remove RADIUS auth from the console port entirely. Any suggestions?"


Radius is still in picture and it will fall back to local incase radius is not reachable.


Anyways glad to know your issue is fixed.

astroman Wed, 10/10/2007 - 13:37
User Badges:

Alright, alright...you still got your "cookie" rating...


Thanks for your help...

Actions

This Discussion