AAA config for "enable" in switch vs firewall.

Unanswered Question
Sep 12th, 2008
User Badges:

Hello


Got a windows AD with a Cisco ACS 4.2 setup infront of it.


I have configured so that our firewalls (pix/asa) has AAA configuration now and it works well.


But today when I was gonna configure our switches with the same login system i've encounterd problems with the command "enable"


I'm using Radius and not tacacs.


Why does "Enable" work for my users in the firewalls and not the switches?


Firewall Conf:

aaa-server auth (inside) host 192.168.100.50 <key> timeout 5

aaa authentication telnet console auth LOCAL

aaa authentication ssh console auth LOCAL

aaa authentication enable console auth LOCAL



When configuring AAA in the switch I encounter this debug message

Sep 12 11:01:23.966: RADIUS: Authenticating using $enab15$

Sep 12 11:01:23.966: RADIUS: Pick NAS IP for u=0x272E1E4 tableid=0 cfg_addr=0.0.0.0

Sep 12 11:01:23.966: RADIUS: ustruct sharecount=1

Sep 12 11:01:23.966: Radius: radius_port_info() success=1 radius_nas_port=1

Sep 12 11:01:23.966: RADIUS(00000000): Send Access-Request to 192.168.100.50:1645 id 1645/26, len 88

Sep 12 11:01:23.966: RADIUS: authenticator 60 30 66 23 E1 D3 5B C7 - 38 B8 65 B8 2B 33 B4 6E

Sep 12 11:01:23.966: RADIUS: NAS-IP-Address [4] 6 192.168.100.1

Sep 12 11:01:23.966: RADIUS: NAS-Port [5] 6 2

Sep 12 11:01:23.966: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

Sep 12 11:01:23.966: RADIUS: User-Name [1] 10 "$enab15$"

Sep 12 11:01:23.966: RADIUS: Calling-Station-Id [31] 16 "192.168.75.172"

Sep 12 11:01:23.966: RADIUS: User-Password [2] 18 *

Sep 12 11:01:23.966: RADIUS: Service-Type [6] 6 Administrative [6]

Sep 12 11:01:23.983: RADIUS: Received from id 1645/26 192.168.100.50:1645, Access-Reject, len 32

Sep 12 11:01:23.983: RADIUS: authenticator 3D 50 89 A2 A8 AB 43 C2 - A6 CA FB DF D4 9B 78 05

Sep 12 11:01:23.983: RADIUS: Reply-Message [18] 12



My googling has given me the info that I need to use Tacacs to make this AAA config to work with switches / routers.


My question is, why does it work for the ASA/Pix ?


Anyone got an idea?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Jagdeep Gambhir Fri, 09/12/2008 - 05:29
User Badges:
  • Red, 2250 points or more

Hi,

Enable authentication was meant to function

with TACACS, and when used with RADIUS it does not perform the same. As a result, the

only way for you to get enable authentication to work with RADIUS would be to input the

username $enab15$ into your RADIUS server.


When using the Radius protocol for enable authentication on an IOS or CatOS based device, the router send a request to the Radius server for the username you mention --$enabl15.


The behavior is same on Pix/ASA


Hope that helps !


Regards,

~JG


Do rate helpful posts

azore2007 Fri, 09/12/2008 - 05:32
User Badges:

Hi JG


But since the pix/asa uses radius and it works for those systems to use the "enable" command?


And I have not added the user "$enabl15" in the AD either.

Actions

This Discussion