Testing integration of Cisco switches with PrivacyIDEA. So far, initial authentication to switch works using server-private <SERVERIP> auth-port 1812 acct-port 1813
, but when issuing the enable command, an access denied message appears. On the PrivacyIDEA server, I have an auth policy setup with passthru=userstore
. Anybody have experience configuring switch admin access with PrivacyIDEA?
Figured out the issue. When using RADIUS authentication and a user issues the enable
command, a Cisco device sends a generic user named $enab15$
in the authentication request…insanity.
To get this to work, either create a user with that name and assign a token to this user or configure an authentication policy with a condition that targets the generic user, setting passOnNoUser
to true
.
There’s actually a bit more work I had to do to get this working specifically and securely while allowing only user store credentials until we enforce MFA on these admins.
1 Like
Great that you figured this out and share the answer!