Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Router enable authentication via RADIUS


I have RADIUS authentication working for SSH logins on my routers, but I'd like to use RADIUS to authenticate for enable access, as well, so that I can have users who can do some advanced troubleshooting on my equipment without getting in too deep and messing things up. However, when I set this up with the following command:

aaa authentication enable default group radius

it simply asks for a password and then fails. I'm using the same setup, the same server, that works successfully for regular login authentication. I'm using Internet Authentication Service in Windows 2000 as my RADIUS server. Is there some RADIUS attribute I need to set? Is there some router command I'm missing? Is this completely the wrong command to use? Any help would be greatly appreciated.

New Member

Re: Router enable authentication via RADIUS


In fact, when you try to enter into enable mode, the router send the user $enab15$ (or something like that, i don't remember) and the password to the Radius.

But the Radius did not know this user, so it fails the attempt.

A solution is to add the attribute "Service-Type - Administrative" to the Radius (IAS). This cause the router to enter in enable mode immediately when you connect to the router.

So, if you want that some user connect in enable and other in read, just create two RAS Policies in the IAS, one with "Service-Type - Administrative" and the other with "Service-Type - Login".



New Member

Re: Router enable authentication via RADIUS


Do I need to configure the router with 'aaa authentication enable default group radius'. I add the attribute 'Service-Type Administrative' in the Advanced Profile but the same error. There is something more to try.



Cisco Employee

Re: Router enable authentication via RADIUS

To have users come straight into enable mode, that is authorization. You need to add:

aaa authorization exec default group radius

then you should be good to go.

CreatePlease to create content