Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

4507, RADIUS, console logs in but no enable

I have RADIUS configured and pointing to a Microsoft IAS server. SSH and HTTP works fine using RADIUS. When connecting to the 4507 via console, we can login with RADIUS credentials, but moves into unprivileged mode. When we go into enable mode, the password that we send is invalid. I know that the username being sent is "$enab15$" and that is not recognized by IAS.

I simply want to turn off RADIUS on the console authentication. Any help is appreciated!

See below for relevant config:

**************************

aaa new-model

aaa authentication attempts login 5

aaa authentication login default group radius local-case

aaa authentication enable default group radius enable

aaa authorization exec default group radius if-authenticated

aaa session-id common

ip http authentication aaa login-authentication default

!

radius-server host 192.168.0.147 auth-port 1645 acct-port 1646 key 7 blahblahblah

radius-server source-ports 1645-1646

radius-server timeout 20

!

line con 0

password 7 ohnoyoudont

stopbits 1

**************************

8 REPLIES

Re: 4507, RADIUS, console logs in but no enable

Astro,

Enable authentication was meant to fucntion with TACACS, and when used with RADIUS it does not perform the same. As a result, the only way for you to get enable authentication to work with RADIUS would be to input the username $enab15$ into your RADIUS server and every user would need to use that username.

So you need to set up a user $enab15$ in IAS server.

Regards,

~JG

Please rate helpful posts

New Member

Re: 4507, RADIUS, console logs in but no enable

That defeats the purpose of what I'm trying to do.

I'd like to remove RADIUS auth from the console port entirely. Any suggestions?

Re: 4507, RADIUS, console logs in but no enable

Need to set method list

aaa authentication login console local-case

line console 0

login authentication console

Regards,

~JG

New Member

Re: 4507, RADIUS, console logs in but no enable

Didn't try that, but setting the privilege level to 15 on the console port resolves my issue.

Any arguments for doing that?

Thanks for your responses...

Re: 4507, RADIUS, console logs in but no enable

That didn't bypass radius, and I guess you wanted that console login should not go to radius.

Regards,

~JG

New Member

Re: 4507, RADIUS, console logs in but no enable

Yeah, I'm still authenticating via RADIUS, with LOCAL being the backup, and I'm able to get into enable mode immediately.

Again, thanks for your responses...

Re: 4507, RADIUS, console logs in but no enable

Well your question and end result did not match at all.

You asked " I'd like to remove RADIUS auth from the console port entirely. Any suggestions?"

Radius is still in picture and it will fall back to local incase radius is not reachable.

Anyways glad to know your issue is fixed.

New Member

Re: 4507, RADIUS, console logs in but no enable

Alright, alright...you still got your "cookie" rating...

Thanks for your help...

1219
Views
3
Helpful
8
Replies