I finally got AAA Authentication working between my switches and my IAS server, but after I use RADIUS to authenticate, I still have to use the same enable password to allow users into enable mode. Is there anyway in AAA to link the enable and secret passwords to RADIUS authentication as well?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
AAA Authentication with Microsoft IAS and Cisco IOS 1
- Thread starter Antelope
- Start date
- Thread starter
- #3
When I added that command, I have to enter this for it to authenticate:
$enabl15%
So I added this user $enabl15$ with a blank password to my radius server and it worked.
I would have thought it would have wanted the password of the radius user I originally authenticated with????
$enabl15%
So I added this user $enabl15$ with a blank password to my radius server and it worked.
I would have thought it would have wanted the password of the radius user I originally authenticated with????
-
1
- #4
This is due to the RADIUS request that is sent when you enter enable - what IOS does is send the username $enab15$, hence why you need to add this user to Windows 2000. With TACACS+ you can have both a password and an enable password as part of your 'profile'(?), this isn't there with Radius unfortunately. Even if you use CiscoSecure ACS as the RADIUS Server (and not TACACS+) IOS sends the $enab15$ username when you attempt to enter enable mode.
What you can do is have different password for each of the possible enable levels - i.e. type 'enable 14' and IOS will send the username $enab14$ etc, that way you can give the level 15 enable password to some users and lower privileges to others.
I agree it's not ideal as a disabled user can just login with username $enab15$ etc (if they are smart enough and can see the hole....). The best thing is to have a strict password policy and change the passwords frequently.
Have you set up any logging? I was looking at logging to SQL (or at least to the MSDE2000 engine) but gave up after a while.
Thanks
Andy
What you can do is have different password for each of the possible enable levels - i.e. type 'enable 14' and IOS will send the username $enab14$ etc, that way you can give the level 15 enable password to some users and lower privileges to others.
I agree it's not ideal as a disabled user can just login with username $enab15$ etc (if they are smart enough and can see the hole....). The best thing is to have a strict password policy and change the passwords frequently.
Have you set up any logging? I was looking at logging to SQL (or at least to the MSDE2000 engine) but gave up after a while.
Thanks
Andy
- Thread starter
- #5
Haven't touched the accounting and logging yet, wanted to get the Authentication down first. Question about TACACS+......would you say this is better than using RADIUS? I thought it was not as secure? Also, is there a free TACACS+ server option out there?
TACACS+ is more secure than RADIUS as the whole packet is encrypted, whereas with RADIUS only the passwords are hashed against the key. It is better as it is much more flexible than IAS; you can link your user accounts into Windows AD so your logon passwords are held in AD and the enable password is held in ACS. You can also link it into LDAP databases, Netware etc.
There are quite a few free TACACS+ servers but they are generally UNIX/LINUX - I even think there is free to download UNIX source code on CCO.
Andy
There are quite a few free TACACS+ servers but they are generally UNIX/LINUX - I even think there is free to download UNIX source code on CCO.
Andy
- Status
Similar threads
- Locked
- Question