4507, RADIUS, console logs in but no enable

Unanswered Question
Oct 10th, 2007

I have RADIUS configured and pointing to a Microsoft IAS server. SSH and HTTP works fine using RADIUS. When connecting to the 4507 via console, we can login with RADIUS credentials, but moves into unprivileged mode. When we go into enable mode, the password that we send is invalid. I know that the username being sent is "$enab15$" and that is not recognized by IAS.

I simply want to turn off RADIUS on the console authentication. Any help is appreciated!

See below for relevant config:

**************************

aaa new-model

aaa authentication attempts login 5

aaa authentication login default group radius local-case

aaa authentication enable default group radius enable

aaa authorization exec default group radius if-authenticated

aaa session-id common

ip http authentication aaa login-authentication default

!

radius-server host 192.168.0.147 auth-port 1645 acct-port 1646 key 7 blahblahblah

radius-server source-ports 1645-1646

radius-server timeout 20

!

line con 0

password 7 ohnoyoudont

stopbits 1

**************************

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1.5 (2 ratings)
Loading.
Jagdeep Gambhir Wed, 10/10/2007 - 12:33

Astro,

Enable authentication was meant to fucntion with TACACS, and when used with RADIUS it does not perform the same. As a result, the only way for you to get enable authentication to work with RADIUS would be to input the username $enab15$ into your RADIUS server and every user would need to use that username.

So you need to set up a user $enab15$ in IAS server.

Regards,

~JG

Please rate helpful posts

astroman Wed, 10/10/2007 - 12:41

That defeats the purpose of what I'm trying to do.

I'd like to remove RADIUS auth from the console port entirely. Any suggestions?

Jagdeep Gambhir Wed, 10/10/2007 - 12:48

Need to set method list

aaa authentication login console local-case

line console 0

login authentication console

Regards,

~JG

astroman Wed, 10/10/2007 - 12:57

Didn't try that, but setting the privilege level to 15 on the console port resolves my issue.

Any arguments for doing that?

Thanks for your responses...

Jagdeep Gambhir Wed, 10/10/2007 - 13:01

That didn't bypass radius, and I guess you wanted that console login should not go to radius.

Regards,

~JG

astroman Wed, 10/10/2007 - 13:06

Yeah, I'm still authenticating via RADIUS, with LOCAL being the backup, and I'm able to get into enable mode immediately.

Again, thanks for your responses...

Jagdeep Gambhir Wed, 10/10/2007 - 13:19

Well your question and end result did not match at all.

You asked " I'd like to remove RADIUS auth from the console port entirely. Any suggestions?"

Radius is still in picture and it will fall back to local incase radius is not reachable.

Anyways glad to know your issue is fixed.

astroman Wed, 10/10/2007 - 13:37

Alright, alright...you still got your "cookie" rating...

Thanks for your help...

Actions

This Discussion