Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2008
Views
0
Helpful
4
Replies

Radius authentication for the enable password

amady3381
Level 1
Level 1

‎03-04-2008 10:12 PM - edited ‎03-10-2019 03:41 PM

Dear Sir

I have an ACS and I have many switches in the network. I used to secure the telnet and

enable access to these switches with tacacas+ authentication protocol. so the username and

password is taken form the ACS internal database. Also the enable password is taken from

the ACS. Today we changed the tacacas+ to Radius because we use the 802.1x framework on

the wired network. Dot1x authentication worked fine and when you try to telnet to the

switch the username and password is taken but the enable password isnot taken from the

ACS. When I check the configuration on the ACS under the user page I found a checkmark to

use the enable password as the PAP password of the user but this is only under tacacs+

settings how can I make this for Radius This is my question. Please answer me asap. It is

urgent.

Thanks,

Labels:
0 Helpful
4 Replies 4

Jagdeep Gambhir
Level 10
Level 10

‎03-05-2008 06:04 AM

Enable authentication was meant to function

with TACACS, and when used with RADIUS it does not perform the same. As a result, the

only way for you to get enable authentication to work with RADIUS would be to input the

username $enab15$ into your RADIUS server.

When using the Radius protocol for enable authentication on an IOS or CatOS based device, the router send a request to the Radius server for the username you

mention --$enabl15.

Hope that helps !

Regards,

~JG

Do rate helpful posts

0 Helpful

amady3381
Level 1
Level 1
In response to Jagdeep Gambhir

‎03-06-2008 02:17 AM

Dear iqambhir

Thank you very much for your help.

I already did that but this makes the enable pasword shared with all users and we don't want that.

I want the enable password to be taken as the PAP password of the user who tries to login but I didn't find that with radius. This option is there with tacacas+.

I want to know why the router or the switch sends that user " $enab15$ ". Is this bug on the system?

Pleae, If there is any other way to authenticate the enable password with the radius submit it.

Thanks alot,

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to amady3381

‎03-06-2008 09:07 AM

Well, again Enable authentication was meant to function with TACACS, and not radius. This is not a bug and is working the way it should.

With Radius , there is no way you can customized the enable password.

Hope that helps

Regards,

~JG

Do rate helpful posts

0 Helpful

amady3381
Level 1
Level 1
In response to Jagdeep Gambhir

‎03-10-2008 02:17 AM

Dear jgambhir

Thank you for your help.

Can I use tacacs+ with the Dot1x technloogy. If yes what are the features added or subtracted from dot1x if i used the tacacs+ instead of radius.

Appreciate your help

Thanks,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents