[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1500
  • Last Modified:

Configuring Enable on Cisco switches that authenticate via IAS rasius

I currently have my cisco devices authenticating to an MS IAS radius server for console authentication.  However, I can not get the enable command to use IAS for authentication.

I have set the policy in IAS to use the cisco-AV-Pair set to "shell:priv-lvl=15"

I do not see anything in the IAS logs that the switch is even trying to authenticate when switching to enable mode.

I am sure I am missing something in the switch config but not sure what

below is a copy of the config


version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname N1-LAN01
!
enable secret ##################################
!
username Administrator  password ##############
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local 
!
aaa session-id common
ip subnet-zero
ip routing
ip domain-name gc.corp
ip name-server 192.168.12.41
ip name-server 192.168.12.11
ip name-server 192.168.12.7
!
!
cluster commander-address 0014.6a6a.c600 member 3 name GC01_cluster vlan 1
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
 switchport access vlan 2
 switchport mode access
!
.
.
.
.
 
interface FastEthernet0/48
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/3
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/4
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Vlan1
 ip address 192.168.20.241 255.255.255.0
!
interface Vlan2
 ip address 192.168.12.241 255.255.255.0
 ip helper-address 192.168.12.208
!
interface Vlan10
 ip address 192.168.10.2 255.255.255.0
 ip helper-address 192.168.12.208
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.12.250
ip http server
ip http authentication local
!
snmp-server community ######## RO
radius-server host 192.168.12.171 auth-port 1645 acct-port 1646 key ###########################
radius-server source-ports 1645-1646
!
control-plane
!
!
line con 0
line vty 0 4
 login authentication Admin
line vty 5 15
!
!
end

Open in new window

0
KCJungk
Asked:
KCJungk
  • 2
1 Solution
 
leibinusaCommented:
you should use "aaa authentication enable" for enable authentication.
0
 
DonbooCommented:

aaa authentication enable default group radius enable
0
 
KCJungkAuthor Commented:
that help somewhat but now I get the following error in IAS.  it looks like the switch is passing the username "$enab15$" instead of my username.

User $enab15$ was denied access.
 Fully-Qualified-User-Name = GC\$enab15$
 NAS-IP-Address = 192.168.12.241
 NAS-Identifier = <not present>
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = 192.168.10.83
 Client-Friendly-Name = N1-LAN01
 Client-IP-Address = 192.168.12.241
 NAS-Port-Type = Virtual
 NAS-Port = 1
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = <undetermined>
 Authentication-Type = PAP
 EAP-Type = <undetermined>
 Reason-Code = 16
 Reason = Authentication was not successful because an unknown user name or incorrect password was used.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
KCJungkAuthor Commented:
Just researched this a bit further and found that the RADIUS authentication method does not support individual users.

Looks like I am going to have to build a TACACS+ server
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now