Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Logging to different modes

Hi,

Just learning AAA and I'm struggling with one thing. I've got a RADIUS server set up and switches/routers authenticate to it. Everything's working fine.

As a safety measure I've got a local account set up as well, just in case both RADIUS servers are down.

I was able to configure them to log on users directly to privileged mode, which is quite convinient. However when I log on using the local account I'm in the privileged mode as well.

Is there a way to configure a switch/router to log on users who authenticated through RADIUS server directly to enable mode, but if a user logs on using a local account it will be in exec mode and will have to enter a password to access privileged mode?

Here's my configuration:

aaa new-model
aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa authorization exec default group radius local
enable secret 5 <...>
username testlocal privilege 15 password 7 <...>

ip radius source-interface Vlan150

radius-server host 192.168.10.2 auth-port 1812 acct-port 1813 key 7 <...>

radius-server host 192.168.17.2 auth-port 1812 acct-port 1813 key 7 <...>
radius-server retransmit 3

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Logging to different modes

Change:

username testlocal privilege 15 password 7 <...>

to read:

username testlocal password 7 <...>
3 REPLIES
Cisco Employee

Re: Logging to different modes

Change:

username testlocal privilege 15 password 7 <...>

to read:

username testlocal password 7 <...>
New Member

Re: Logging to different modes

Hi Javier,

Thank you for the reply. I can't believe it was so easy to fix!

However in order to allow a local user to access 'enable mode' I had to remove this line as well:

aaa authentication enable default group radius enable

as there was no way I could authenticate. The switch was using '$ena15$' as a username to authenticate on RADIUS server.

There was the same problem if I logged on using my Active Directory account, entered 'disable' command and then tried to go back to privileged mode.

I figured that I rather authenticate to enable mode locally.

Anyway it's all sorted now. Thank you again.

Cisco Employee

Re: Logging to different modes

> The switch was using '$ena15$' as a username to authenticate on RADIUS  server.

That is the expected behavior with RADIUS.

With TACACS+, it will send the actual username.

350
Views
0
Helpful
3
Replies
CreatePlease to create content