Router enable authentication via RADIUS

packet919 · ‎03-14-2002

Hello,

I have RADIUS authentication working for SSH logins on my routers, but I'd like to use RADIUS to authenticate for enable access, as well, so that I can have users who can do some advanced troubleshooting on my equipment without getting in too deep and messing things up. However, when I set this up with the following command:

aaa authentication enable default group radius

it simply asks for a password and then fails. I'm using the same setup, the same server, that works successfully for regular login authentication. I'm using Internet Authentication Service in Windows 2000 as my RADIUS server. Is there some RADIUS attribute I need to set? Is there some router command I'm missing? Is this completely the wrong command to use? Any help would be greatly appreciated.

halleuxm · ‎03-15-2002

Hello,

In fact, when you try to enter into enable mode, the router send the user $enab15$ (or something like that, i don't remember) and the password to the Radius.

But the Radius did not know this user, so it fails the attempt.

A solution is to add the attribute "Service-Type - Administrative" to the Radius (IAS). This cause the router to enter in enable mode immediately when you connect to the router.

So, if you want that some user connect in enable and other in read, just create two RAS Policies in the IAS, one with "Service-Type - Administrative" and the other with "Service-Type - Login".

Regards,

Marc.

ROBERT FARIA · ‎07-23-2002

Marc,

Do I need to configure the router with 'aaa authentication enable default group radius'. I add the attribute 'Service-Type Administrative' in the Advanced Profile but the same error. There is something more to try.

Thanks,

Robert.

gfullage · ‎07-23-2002

To have users come straight into enable mode, that is authorization. You need to add:

aaa authorization exec default group radius

then you should be good to go.