"ip radius source loop0" not working for enable?

Unanswered Question
Apr 9th, 2009
User Badges:

Hi All,


We have recently upgraded one of our routers to version 12.2SR.

One of the problems we are facing is that radius authentication is not working correcly for the enable part.


We are using loopback address as a source.


ip radius source-interface Loopback0


while for the user authentication the request from the router is using the loopback address, for the enable is using the physical address!!! we tried to remove and add all the aaa commands but same thing. This is not the case for older version i.e. 12.2SX


Find below the aaa and radius commands.


aaa new-model

aaa authentication login my_radius group radius local


aaa authentication enable default group radius enable


aaa session-id common

no cns aaa enable


aaa authentication login my_radius group radius local


aaa authentication enable default group radius enable


ip radius source-interface Loopback0


radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxx

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Thu, 04/09/2009 - 13:03
User Badges:
  • Red, 2250 points or more

It is not a radius source issue.


Enable authentication was actually designed to work with TACACS. In IOS devices when we do "enable" authentication using the Radius protocol, the username sent to Radius Server (ACS), is not the one with which you logged in. It is "$enab15$", if you check the failed logs, I am sure you'll see that username. In case of Radius you would be required to create a user account with the username "$enab15$" and use the password for this account to be able to log into enable privilege mode.



Regards,

~JG


Do rate helpful posts


pavlosd Wed, 04/15/2009 - 05:08
User Badges:

Hi JG,


we have already defined the "$enab15$" user. As I told you, the problem is that user authentication is using loopback address as a source, while enable is using local interface address. I can confirm this because, we added local address to the radius, till we sort out the problem.

Actions

This Discussion