RSA Security Server w/ Radius and AAA authentication
I have RSA Security Server 5.0... with Radius enabled. I want to setup all my Cisco routers to prompt me for username and password for anyone who tries to telnet in or consol in. Most of my routers are 2600 with IOS 12.2(8)T4
I have been able to get it to prompt me for username/password at telnet and consol. And it works with RSA server. With the following config:
radius-server host 220.127.116.11 key cisco
aaa group server radius loginrad
aaa authentication login default group loginrad
When I try to set security check on enable it does not work. When I issue the command "enable" it just prompts me for password only, and not the username. When I input my PIN+(# from token), it sends $enab15$ as username and my password to RSA server.
I have two question:
1. How do I configure my router or RSA server so it prompts me for username or have the Router or RSA server remembers which user I have logged in as?
2. I also want to limit which users can go into "enable" mode. What I mean is I don't want all of my IT staff who have RSA securID tokens to be able to enter "Enable mode", but I want them to be able to telnet in and be able to do simple commands like ping, traceroute.....
Re: RSA Security Server w/ Radius and AAA authentication
No..There is no way to have NAS/router prompt for username and password for "enable" authentication. It will only prompt for password. The username is fixed which is $enable15$ for enable authentication.
Since only password is required to get access to enable mode, you can just make is privet so that users can't get in the enable mode. OR you can set privilege level commands to restrict the access to certain commands only.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :