cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7790
Views
10
Helpful
16
Replies

aaa new-model

mactej6228
Level 1
Level 1

How this command works "aaa authentication enable default group radius"? I used Cisco Secure ACS 4.2 as my Radius Server but I can't login.. Is there somebody here can give me a thorough understanding on this command? Need this for my CCNA security exam.. Please help..

Additional INfo:

IETF Radius Attributes: NAS Prompt

here's my config on R1:

!

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$e.TZ$EXkOaZ0rkd/GBGLA/8GrD/

!

aaa new-model

!

!

aaa authentication enable default group radius

!

!

aaa session-id common

!

!

resource policy

!

memory-size iomem 5

ip cef

!

!

!

!

no ip domain lookup

ip domain name aida.com

ip ssh version 2

!

!

username mark privilege 15 password 7 110418171C

username anthony password 7 050A081B29434010

!

interface Loopback1

ip address 1.1.1.1 255.255.255.255

!

interface FastEthernet0/0

ip address 192.168.5.1 255.255.255.248

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.10.10.1 255.255.255.252

duplex auto

speed auto

!

router eigrp 100

network 1.1.1.1 0.0.0.0

network 10.10.10.0 0.0.0.3

network 192.168.5.0 0.0.0.7

no auto-summary

!

!

!

no ip http server

no ip http secure-server

!

!

radius-server host 172.16.178.3 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx 

!

!

!

control-plane

!

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

login local

transport input ssh

!

!

end

2 Accepted Solutions

Accepted Solutions

Hi Bro

The command "aaa authentication enable default group radius" means that, for your enable password, you want the Router to refer to the ACS server and obtain the credentials.

Another example, the command "aaa authentication enable default group radius enable" means that, for your enable password, you want the Router to refer to the ACS server and obtain the credentials. In the event your ACS is down, you want the Router to refer to the local enable password and obtain the credentials.

I saw what you're trying to achieve, and you can achieve this in RADIUS as well, but personally I prefer TACACS+ whenever possible.

!

aaa new-model

!

aaa authentication login default group radius local

aaa authentication enable default group radius enable

aaa authorization exec default local

!

radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key cisco123

Note: $enab15$ this is seen because you don't have aaa authorization commands configured. You can either add a dummy username $enab15$ in your ACS or you could paste the following commands shown below in your Router;

username admin privilege 15 password 0 cisco123

username operator privilege 7 password 0 cisco123

P/S: Please do rate this comment, if you find this feedback useful :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

Hi Mark

I have recreated the steps in my lab and I saw the same problem as you did. Please click on this URL https://www.yousendit.com/download/QlVqTmZhUENFc0t4djhUQw to download the steps on the Router/Switch portion and on the ACS portion. Please do follow the steps strictly. This is a small problem :-) I will help you.

If the steps provided still doesn't work, please paste your Router/Switch latest show running-config here. I'll verify that first before verifying your ACS config. Good luck bro!!

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

16 Replies 16

mactej6228
Level 1
Level 1

Please help.. Is there anyone here who can give me a thorough understanding on this command "aaa authentication enable default group radius"? How this command affect communicate w/ my radius server? I defined users in radius server, when I can used it? I use ssh..

There are a couple of options that are available. The best way for most environments is the following:

Migrate to TACACS+

With TACACS you have more control over your administration-sessions. If you want you can use TACACS+ and RADIUS at the same time for different functions (TACACS for ADMIN, RADIUS for VPN ...)

How to do that:

1) Configure your AAA-client on the ACS for TACACS

2) Configure a tacacs-server instead a RADIUS-server in IOS

3) use the following aaa-commands:

aaa authentication login default group tacacs

aaa authentication enable default group tacacs

Now your ACS-User is taken for initial login and for the enable. The Enable-password can be configured for individual users or for the usergroup that the user belongs to.

If your ACS is not reachable, you can also configure a fallback. For that you add another method to you aaa commands:

aaa authentication login default group tacacs local

aaa authentication enable default group tacacs enable

Thanks for your reply karsten, yes you right there I can migrate to TACACS+ but I must first understand on what is RADIUS server means, how does it handle defined users during authentication? That is why I need to understand the command.. This for the preparation of my CCNA security exam.. Need to understand the basics of the command which i specified above.. Thanks In Advance.. 

Hi Mark,

Let me explain you about the radius and tacacs+.

Radius uses UDP port (1812,1813) or (1645-1646).

TACACS+ uses TCP 49 (Which is reliable.

RADIUS auth we use that for VPN, Web authentication, Wireless users like that

TACACS+ used for network devices/servers authentication.

Radius requires timeout and other options to be enabled to switchover/auto disconnecting the connection. It works in client server architecture... i.e handshake..,ppp.pap,chap.

Radius doesn't support few protocols.

  • AppleTalk Remote Access (ARA) protocol


  • NetBIOS Frame Protocol Control protocol


  • Novell Asynchronous Services Interface (NASI)


  • X.25 PAD connection


So why is it that I can't login on the router? When I login to privilege mode it ask me for username and password, I already tried the password configured on Radius server but still I can't login to privilege mode...

if you want to find out what the AAA-client does you can use the command "debug radius":

If I log into my switch which uses RADIUS then the switch askes for authentication of my used username:

Jul 15 12:20:50.565: RADIUS:  User-Name           [1]   14  "karsten.iwen"

When I enter "enable" and I have "aaa authentication enable default group radius" configured, then the switch doesn't use the real username, but the generic user:

Jul 15 12:40:03.876: RADIUS:  User-Name           [1]   10  "$enab15$"

That can't be handled by RADIUS, but with TACACS+

Hi Bro

The command "aaa authentication enable default group radius" means that, for your enable password, you want the Router to refer to the ACS server and obtain the credentials.

Another example, the command "aaa authentication enable default group radius enable" means that, for your enable password, you want the Router to refer to the ACS server and obtain the credentials. In the event your ACS is down, you want the Router to refer to the local enable password and obtain the credentials.

I saw what you're trying to achieve, and you can achieve this in RADIUS as well, but personally I prefer TACACS+ whenever possible.

!

aaa new-model

!

aaa authentication login default group radius local

aaa authentication enable default group radius enable

aaa authorization exec default local

!

radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key cisco123

Note: $enab15$ this is seen because you don't have aaa authorization commands configured. You can either add a dummy username $enab15$ in your ACS or you could paste the following commands shown below in your Router;

username admin privilege 15 password 0 cisco123

username operator privilege 7 password 0 cisco123

P/S: Please do rate this comment, if you find this feedback useful :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

hi Karsten,

Thanks for your reply. Okay here's the output on "debug radius". I follow instruction of "Ramraj", so what's the problem here?

there you have the problem that your shared secrets don't match.

Thank You Ramraj. I follow your instruction but still I can't login. What do you mean by "$enab15$"? because what i have done I literally add that user to my ACS, I add there a user named "$enab15$" w/ a password of "cisco" but still won't log me in to my router  console. I performed the ff. command:

# aaa new-model

#radius-server host 172.16.178.3 key shared_secret

#aaa authentication enable default group radius

#aaa authorization exec default local

I also used the local username / password w/ privilege 15 on my router but still fails to authenticate.        

Hi Mark

I have recreated the steps in my lab and I saw the same problem as you did. Please click on this URL https://www.yousendit.com/download/QlVqTmZhUENFc0t4djhUQw to download the steps on the Router/Switch portion and on the ACS portion. Please do follow the steps strictly. This is a small problem :-) I will help you.

If the steps provided still doesn't work, please paste your Router/Switch latest show running-config here. I'll verify that first before verifying your ACS config. Good luck bro!!

Warm regards,
Ramraj Sivagnanam Sivajanam

Thank You Ramraj, really need your help. I follow your guides that you sent but still I can't login to privilege mode, here are some of configurations hope this can help...

https://supportforums.cisco.com/servlet/JiveServlet/download/3681152-131734/aaa_routerconfig.rar.zip

On my router config, I just made it simple because what I really wanted is to be able to get into privilege mode using the RADIUS server users. Thanks in Advance...

Hi Bro

I saw your Cisco Router's configuration, and you didn't put in the commands I advices in my previous post. Please paste them in and rerty again;

!
aaa authentication login VTY group radius local
aaa authentication login CONSOLE local
aaa authentication enable default group radius enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec VTY group radius local

!
line con 0
authorization exec VTY
login authentication VTY
line aux 0
line vty 0 4
authorization exec VTY
login authentication VTY
!

Lastly, could you change the Authenticate Using method to RADIUS (Cisco IOS/PIX 6.0) for R1. This is depicted in your captured file named ACS_AAA_Client.jpg.

Warm regards,
Ramraj Sivagnanam Sivajanam

okay I'm still at the office now later(9pm GMT +8)  when i got home i will install teamviewer at my homelab. I think we're in the same time zone. Thanks a lot bro.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: