05-21-2021 10:48 AM
I'm working with a client who recently let go of their network engineer and hired our company to help with managing their network. It appears that the enable password they were given by the engineer as he left is not the actual enable password, which leaves us in a bit of a situation.
Typically, I would just say let's go and reboot the switches and do a password reset, but there are a lot of switches and they're spread out across the country, meaning it's going to be a slog.
They've got a AAA setup in the configuration. I was curious as to whether a user could be somehow elevated on the RADIUS side so that when they logged in, they were already in enable mode.
Just wanted to get thoughts on the subject and see if I'm just delaying the inevitable or if it's feasible.
05-21-2021 02:26 PM
Hi - Please share the aaa config from the ICX.
show run | inc aaa
Let us see if there is a way.
05-21-2021 03:07 PM
If you have these two statements in the config, then we should be able to login the enable mode with a radius account:
SSH@ICX7150-C12-SW1(config)#show run | inc aaa
aaa authentication enable default radius local
aaa authentication login default radius local
05-21-2021 03:10 PM
Hmm...it looks like that isn't the case (at least on the random sample that I've taken)
aaa authentication login default local radius
is the only configuration for AAA
05-23-2021 03:52 AM
The authentication order set is local followed by radius, You can find more info on authentication order in the below link.
If the problem persist, Pls open a support case so that our team can review the config and make the necessary changes.