We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Cisco ASA RADIUS Authentication for Enable Mode?

First Last
First Last asked
on
Medium Priority
2,652 Views
Last Modified: 2012-06-27
I was able to get access via SSH to my ASA via Radius authentication but can't get into enable mode. It is prompting me for a password and telling me the password is wrong. How do I get it to grant me access without prompting for a password a second time?

My Setup:

ASA#  sh run | include aaa
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 100.135.208.8
aaa authentication match FIOS_authentication FIOS DC
aaa authentication http console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL
aaa local authentication attempts max-fail 10


My failure:



login as: bgates
mthomas@172.200.21.10's password:
This is a private network.
Access beyond this point is for authorized personell only.
Unauthorized access will be prosecuted to the full extent of the law.
We thank you for respecting our privacy.
Type help or '?' for a list of available commands.
ASA> en
Password: **********
Invalid password
Password:
Comment
Watch Question

SouljaSr.Net.Eng
CERTIFIED EXPERT
Top Expert 2011

Commented:
Does the radius account have the privilages for enable mode?

Author

Commented:
Soulja -

Yes, the radius account has the privilages for enable mode. I just got it to work, but now what would I do if I don't want to be prompted for the password when entering privileged enable mode?

SouljaSr.Net.Eng
CERTIFIED EXPERT
Top Expert 2011

Commented:
Did you change anything in the config or were you putting in the wrong password?

Author

Commented:
What i've noticed is if I uncheck the enable box under "require authentication to allow use of privileged mode commands" is that i'm still prompted for a password, but it now accepts a blank password then takes me to privilege mode. This is much better than typing the password twice, but do you know how to remove the password prompt all together?


login as: bgates
bgates@17.202.21.10's password:
This is a private network.
Access beyond this point is for authorized personell only.
Unauthorized access will be prosecuted to the full extent of the law.
We thank you for respecting our privacy.
Type help or '?' for a list of available commands.
ASA> en
Password:
ASA#

Untitled.jpg

Author

Commented:
Soulja - I didn't change anything in the config. All i noticed is that I didn't have the box in the image above checked so I tried a blank password for privileged mode and it let me in! Now I'd like to just remove the prompt.

Commented:
type login
you will be prompted for the credentials again.
enable does not het authenticated via radius.
SouljaSr.Net.Eng
CERTIFIED EXPERT
Top Expert 2011

Commented:
Can you post a picture of your authorization tab.
SouljaSr.Net.Eng
CERTIFIED EXPERT
Top Expert 2011

Commented:
Can you check enable under Perform  Authorization for Exec Shell Access. Let me know if that help.

Author

Commented:
Soulja

I enabled Perform  Authorization for Exec Shell Access. The login experience was the same. It accepted my radius username and password, then logging into privileged mode it accepted a blank password. This is good enough for me. I do thank you very much.  
Sr.Net.Eng
CERTIFIED EXPERT
Top Expert 2011
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
Thank you.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.