Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
790
Views
0
Helpful
3
Replies

Logging to different modes

Go to solution
bierrrr.CC
Level 1
Level 1

‎05-12-2010 08:33 AM - edited ‎03-10-2019 05:07 PM

Hi,

Just learning AAA and I'm struggling with one thing. I've got a RADIUS server set up and switches/routers authenticate to it. Everything's working fine.

As a safety measure I've got a local account set up as well, just in case both RADIUS servers are down.

I was able to configure them to log on users directly to privileged mode, which is quite convinient. However when I log on using the local account I'm in the privileged mode as well.

Is there a way to configure a switch/router to log on users who authenticated through RADIUS server directly to enable mode, but if a user logs on using a local account it will be in exec mode and will have to enter a password to access privileged mode?

Here's my configuration:

aaa new-model
aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa authorization exec default group radius local
enable secret 5 <...>
username testlocal privilege 15 password 7 <...>
ip radius source-interface Vlan150
radius-server host 192.168.10.2 auth-port 1812 acct-port 1813 key 7 <...>
radius-server host 192.168.17.2 auth-port 1812 acct-port 1813 key 7 <...>
radius-server retransmit 3
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Javier Henderson
Level 4
Level 4

‎05-12-2010 09:27 AM

Change:

username testlocal privilege 15 password 7 <...>

to read:

username testlocal password 7 <...>

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Javier Henderson
Level 4
Level 4

‎05-12-2010 09:27 AM

Change:

username testlocal privilege 15 password 7 <...>

to read:

username testlocal password 7 <...>
0 Helpful

Go to solution
bierrrr.CC
Level 1
Level 1
In response to Javier Henderson

‎05-13-2010 02:22 AM

Hi Javier,

Thank you for the reply. I can't believe it was so easy to fix!

However in order to allow a local user to access 'enable mode' I had to remove this line as well:

aaa authentication enable default group radius enable

as there was no way I could authenticate. The switch was using '$ena15$' as a username to authenticate on RADIUS server.

There was the same problem if I logged on using my Active Directory account, entered 'disable' command and then tried to go back to privileged mode.

I figured that I rather authenticate to enable mode locally.

Anyway it's all sorted now. Thank you again.

0 Helpful

Go to solution
Javier Henderson
Level 4
Level 4
In response to bierrrr.CC

‎05-13-2010 04:48 AM

> The switch was using '$ena15$' as a username to authenticate on RADIUS  server.

That is the expected behavior with RADIUS.

With TACACS+, it will send the actual username.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents