IOS user authentication when entering enable mode

IOS user authentication when entering enable mode

Post by MayaSh.. » Tue, 07 Mar 2006 15:17:54



Hi,

I have a Cisco IOS router version 12.4 and I want users which connect
to the router remotley to be asked for both user and password when
entering enable mode, i.e. usually wheh the user tries to enter enable
mode it is requested only the enable password and not a user and I
would like the enable mode to request both user and password.
I am trying to do that based on the LOCAL authentication (i.e. the
username commands) and not a radius ot Tacacas server.

Does anyone know how to do that? I remember I managed to create it once
before but have not success now.

Thanks,
Maya

 
 
 

IOS user authentication when entering enable mode

Post by ciscodag.. » Wed, 08 Mar 2006 07:56:35


This does not seem to be possible in recent releases because the enable
authentication method lists do not allow for  "local" authentication as
an option.

R1(config)#aaa authentication enable ?
  default  The default authentication list.

R1(config)#aaa authentication enable de
R1(config)#aaa authentication enable default ?
  enable  Use enable password for authentication.
  group   Use Server-group
  line    Use line password for authentication.
  none    NO authentication.

Looking for "local" specified for the enable mode authentication method
does yield some hits on CCO and some older releases seem to have
supported this.  It seems that Cisco removed this support for some
(security?) reason.  The "aaa authentication local-override"  is also
deprecated but I could find no explanations for the reason.  That may
have possibly been helpful here.

Cisco da Gama
http://ciscostudy.blogspot.com

 
 
 

IOS user authentication when entering enable mode

Post by Charlie Roo » Thu, 09 Mar 2006 19:10:02



Quote:> This does not seem to be possible in recent releases because the enable
> authentication method lists do not allow for  "local" authentication as
> an option.

I believe this was never possible. Even when authenticating against TACACS
or RADIUS the router will prompt only for password and use predefined name
$enab15$ when querying AAA server. The only time when you get prompted for
username and password is when you connect via console (not via telnet) and
then request enable mode. What is possible is to assign privilege level 15
to a locally defined user. Then user will get enable mode whenever he or she
logs in.

Quote:> Looking for "local" specified for the enable mode authentication method
> does yield some hits on CCO and some older releases seem to have
> supported this.  It seems that Cisco removed this support for some
> (security?) reason.  The "aaa authentication local-override"  is also
> deprecated but I could find no explanations for the reason.  That may
> have possibly been helpful here.

local-override functionality is now achieved by specifying 'local' before
'group ...'. If you do so, the router will first try to authenticate against
local database, if name matches but password not, access will be denied, if
however user doesn't exist in local database, then the router will contact
AAA server. But again, this won't prompt username when entering enabling
mode unless done from console.

Kind regards,
iLya

 
 
 

IOS user authentication when entering enable mode

Post by MayaSh.. » Tue, 14 Mar 2006 16:07:34


Thanks for the replies.
However, I am confident I configured the router like this in the past,
possibly with version 12.2 or 12.3
Regarding the command "aaa authentication enable", I also looked at it
and did not find the option to do it with the parameter "LOCAL" however
in earlier releases I did not see it was possible either so maybe there
was another way to do it.

Maya