Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AAA config for "enable" in switch vs firewall.


Got a windows AD with a Cisco ACS 4.2 setup infront of it.

I have configured so that our firewalls (pix/asa) has AAA configuration now and it works well.

But today when I was gonna configure our switches with the same login system i've encounterd problems with the command "enable"

I'm using Radius and not tacacs.

Why does "Enable" work for my users in the firewalls and not the switches?

Firewall Conf:

aaa-server auth (inside) host <key> timeout 5

aaa authentication telnet console auth LOCAL

aaa authentication ssh console auth LOCAL

aaa authentication enable console auth LOCAL

When configuring AAA in the switch I encounter this debug message

Sep 12 11:01:23.966: RADIUS: Authenticating using $enab15$

Sep 12 11:01:23.966: RADIUS: Pick NAS IP for u=0x272E1E4 tableid=0 cfg_addr=

Sep 12 11:01:23.966: RADIUS: ustruct sharecount=1

Sep 12 11:01:23.966: Radius: radius_port_info() success=1 radius_nas_port=1

Sep 12 11:01:23.966: RADIUS(00000000): Send Access-Request to id 1645/26, len 88

Sep 12 11:01:23.966: RADIUS: authenticator 60 30 66 23 E1 D3 5B C7 - 38 B8 65 B8 2B 33 B4 6E

Sep 12 11:01:23.966: RADIUS: NAS-IP-Address [4] 6

Sep 12 11:01:23.966: RADIUS: NAS-Port [5] 6 2

Sep 12 11:01:23.966: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

Sep 12 11:01:23.966: RADIUS: User-Name [1] 10 "$enab15$"

Sep 12 11:01:23.966: RADIUS: Calling-Station-Id [31] 16 ""

Sep 12 11:01:23.966: RADIUS: User-Password [2] 18 *

Sep 12 11:01:23.966: RADIUS: Service-Type [6] 6 Administrative [6]

Sep 12 11:01:23.983: RADIUS: Received from id 1645/26, Access-Reject, len 32

Sep 12 11:01:23.983: RADIUS: authenticator 3D 50 89 A2 A8 AB 43 C2 - A6 CA FB DF D4 9B 78 05

Sep 12 11:01:23.983: RADIUS: Reply-Message [18] 12

My googling has given me the info that I need to use Tacacs to make this AAA config to work with switches / routers.

My question is, why does it work for the ASA/Pix ?

Anyone got an idea?



Re: AAA config for "enable" in switch vs firewall.


Enable authentication was meant to function

with TACACS, and when used with RADIUS it does not perform the same. As a result, the

only way for you to get enable authentication to work with RADIUS would be to input the

username $enab15$ into your RADIUS server.

When using the Radius protocol for enable authentication on an IOS or CatOS based device, the router send a request to the Radius server for the username you mention --$enabl15.

The behavior is same on Pix/ASA

Hope that helps !



Do rate helpful posts

New Member

Re: AAA config for "enable" in switch vs firewall.


But since the pix/asa uses radius and it works for those systems to use the "enable" command?

And I have not added the user "$enabl15" in the AD either.

CreatePlease to create content