Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

"ip radius source loop0" not working for enable?

Hi All,

We have recently upgraded one of our routers to version 12.2SR.

One of the problems we are facing is that radius authentication is not working correcly for the enable part.

We are using loopback address as a source.

ip radius source-interface Loopback0

while for the user authentication the request from the router is using the loopback address, for the enable is using the physical address!!! we tried to remove and add all the aaa commands but same thing. This is not the case for older version i.e. 12.2SX

Find below the aaa and radius commands.

aaa new-model

aaa authentication login my_radius group radius local

aaa authentication enable default group radius enable

aaa session-id common

no cns aaa enable

aaa authentication login my_radius group radius local

aaa authentication enable default group radius enable

ip radius source-interface Loopback0

radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxx

3 REPLIES

Re: "ip radius source loop0" not working for enable?

It is not a radius source issue.

Enable authentication was actually designed to work with TACACS. In IOS devices when we do "enable" authentication using the Radius protocol, the username sent to Radius Server (ACS), is not the one with which you logged in. It is "$enab15$", if you check the failed logs, I am sure you'll see that username. In case of Radius you would be required to create a user account with the username "$enab15$" and use the password for this account to be able to log into enable privilege mode.

Regards,

~JG

Do rate helpful posts

Community Member

Re: "ip radius source loop0" not working for enable?

Hi JG,

we have already defined the "$enab15$" user. As I told you, the problem is that user authentication is using loopback address as a source, while enable is using local interface address. I can confirm this because, we added local address to the radius, till we sort out the problem.

Re: "ip radius source loop0" not working for enable?

Hi,

It seems we are hitting this bug,

ip radius source-interface ignored during enable authentication

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCsg01035

Regards,

~JG

Do rate helpful posts

328
Views
0
Helpful
3
Replies
CreatePlease to create content