Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Radius configuration

Status
Not open for further replies.
n00blar

n00blar

MIS
Aug 19, 2003
38
0
0
US
I have Radius authentication working nicely on my 3700 router.
I need to find out if I can use my Windows password when I want to go in 'enable' mode in the router.
Up until this point I have to remember my 'enable' password in order to make router configuration, but I'd like to use my Windows domain password instead.
I've done this on my PIX, but I don't know if this can be done on a router.

Thanks.
 
Sort by date Sort by votes
Ok, here's what I've found so far.

This can't be done with a RADIUS server.

You need to have a TACAS+ server or something like Cisco's ACS to get the kind of functionality that I'm looking for.
 
Upvote 0 Downvote
The problem with using Radius is you can't assign an 'Enable' password to each user. There are 2 workarounds though.

1. When you attempt to change the privilege level (enable) the router (or IOS device) sends a new user authentication request to the Radius server for the user account '$enabXX$' where 'XX' is the privilege level requested. So if you just logged in with your regular Windows User and then typed 'enable' the router would send an authentication request for user '$enab15$' to the Radius Server. You can simply add this user to Active Directory/Windows and make sure it has the relevent privileges. There is a slight security issue here in that you can actually just login directly to the router using the username '$enab15$'. So if you have users who know the enable password they can login withought using thier own user account.

2. The other option is to use Radius Attributes and send a Cisco AV Pair with a privilege level. I assume you are using Microsoft IAS; if so for the Remote Access Policy properties edit the Profile and in the advanced section add a 'Cisco-AV-Pair'. The attribute to set the privilege level to 15 is 'shell:priv-lvl=15'. Simply add that as the attribute value. When a user logs in they are automatically given level 15 privilege. If you want users to have different privilege levels then you need to mess about with windows groups and have multiple IAS policies' each policy with a different privilege level set via the Cisco AV Pair.

HTH

Andy
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DigiByte34
  • Locked
  • Question
Need Help Cisco AAA to any RADIUS Software
Replies
9
Views
97
DigiByte34
DigiByte34
acabezas2014
  • Locked
  • Question
Need to create QoS for SNMP and Radius traffic on Cisco 4948 Switches
Replies
0
Views
38
acabezas2014
acabezas2014
Tariq Habaybeh
  • Locked
  • Question
Cisco 881WD-E-K9 router configuration
Replies
1
Views
54
burtsbees
burtsbees
chazzmanbm
  • Locked
  • Question
Cisco ASA 9.2 SSH Configuration
Replies
1
Views
62
iggsterman
iggsterman
clark72
  • Locked
  • Question
VRF Lite Configuration
Replies
0
Views
49
clark72
clark72

Part and Inventory Search

Sponsor

Back
Top