Re: Cisco Enable

Mon, 07 Jan 2002 08:31:48 -0800 

> From: "martoQ" <[EMAIL PROTECTED]>
> 
> Does anyone know or perhaps have successfully configured FreeRadius 
> to authenticate a Cisco enable password challenge?  I think it might 
> be a tacacs only feature but am uncertain.  Any help is greatly 
> appreciated. 

>From my experience with trying to get Ciscos to do this, I don't
believe that Radius authentication is designed to work that way
on the Ciscos.....  The way Ciscos are designed to work with Radius
is to fully authenticate the user the first time the login and to 
place them at the enable (#) prompt to start with.  Having said
that, here are some tidbits that I have working (or had working
at one point in time):

For the cisco catalyst switches (the 6509 in particular), you can
use the enable password if you want...  Use an entry like the following
in the users file:

"$enab15$"      Auth-Type := Local, Password == "myenablepassword"

For a more typical(?) cisco router (e.g. 2514, 1600, 2621), I use the
following entriy in the users file:

DEFAULT         Auth-Type := System
                Cisco-AVPair = "shell:priv-lvl=15",
                Service-Type = 6

So when a user logs into a cisco, once they authenticate, they're
already in enable mode, without having to do a second level of
authentication/authorization.  This works on the catalyst switch as
well.

On our cisco 2514, there's the relevant entries from a "show run"
command:

  aaa new-model
  aaa authentication login default radius local enable
  aaa authorization exec default radius local
  radius-server host 1.2.3.4 auth-port 1812 acct-port 1813
  radius-server host 2.3.4.5 auth-port 1812 acct-port 1813
  radius-server key notlikely

Note1: I use a non-system "password" file for radius, which only
   has entries for people authorized to administer our cisco routers.)

Note2: this information is available on cisco's web site, but it
  took me a while to dig through it to find the pieces that I needed
  in order to convert from tacacs authentication to radius.

Note3: depending on the cisco IOS version that you are using, the above
  lines from the "show run" command may vary.  The variations are
  documented on Cisco's web site.

        - Dan

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to