How to skip enable mode password prompt.

Answered Question
May 25th, 2007

Hi,

I just installed ACS 4.1 (first time working with ACS). Everything is working great and I'm using the ACS internal database for user authentication.

The question I have is this. When logging into a router, which is authenticating against the ACS server, is there a way to bypass having to enter my password a second time to get to enable mode??

Currently, I have to enter my username and password to login to the router and when I go to enable mode, I have to re-enter my password again.

Any help is greatly appreciated.

Thanks,

Tony

I have this problem too.
0 votes
Correct Answer by Premdeep Banga about 9 years 6 months ago

Hi Tony,

Do mark this thread as solved, so that others can benefit from it.

Thanks,

Prem

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jagdeep Gambhir Fri, 05/25/2007 - 07:36

Tony,

If you are using tacacs then this needs to be done,

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

On ACS

Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

Regards,

Jagdeep

amaiale Fri, 05/25/2007 - 08:14

Jagdeep,

Thank you so much for your response. I did as you have recommended and I am still being prompted to enter my password a second time to get into enable mode.

Here is the router config:

tacacs-server host x.x.x.x

tacacs-server directed-request

tacacs-server key xxxxxxxxxxxxxxx

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

My ACS group setting is configured for privilege level 15.

Does anything jump out at you? Is there anything else I should do?

Thanks again,

Tony

Jagdeep Gambhir Fri, 05/25/2007 - 08:45

Tony,

Setting seems to be ok and it should work. Get the debug aaa authorization and debug tacacs.

Regards,

amaiale Fri, 05/25/2007 - 10:04

Hi Jagdeep,

Here's the output from debug aaa authorization, debug tacacs authorization, & debug tacacs events.

The first output is me logging in and the second is me going to enable mode.

Thanks for you input.

Tony

Attachment: 
Richard Burts Fri, 05/25/2007 - 12:54

Tony

I can not tell from the output whether you are doing telnet to the router remotely or whether this is a console session. It makes a difference because by default the IOS does not do authorization for console sessions, and therefore will not put you directly into enable mode when logging in from the console. It does work when logging in from telnet.

[edit] after looking again at the debug it is obvious that the router is sending authorization the first time, which probably means that it is from a telnet connection. So my observation about not authorizing on the console is probably not the right answer to your issue.

HTH

Rick

Jagdeep Gambhir Fri, 05/25/2007 - 14:07

Tony,

Can you make sure that user is part of that group on which you have configured shell exec priv 15 ?

Which device and IOS you are testing it with ? Do you have any other IOS device to test ?

Regards,

Jagdeep

amaiale Thu, 05/31/2007 - 11:42

Hi Jagdeep;

Thank you for your reply. I appoligize for not getting back to you sooner. I was out-of-the-office.

The user is part of the group with shell exec priv 15. Also, they have an unrestricted shell command auth set (permitting all unmatched commands).

Here are the devices and IOS levels:

Cisco 2851 12.4.12

Cisco 3640 12.3.10

MSFC3 12.2(17d)SXB6

Cisco 7206 12.3(22)

All AAA configs include the authorization, if-authenticated command.

Thanks again,

Tony

Premdeep Banga Sat, 05/26/2007 - 15:27

Hi Tony,

Please ensure that you have not configured anything on user setting, as user settings over ride group settings.

From debugs,

May 25 13:56:41.544 edt: AAA/AUTHOR/EXEC(0000020A): processing AV cmd=

May 25 13:56:41.544 edt: AAA/AUTHOR/EXEC(0000020A): Authorization successful

It seems like that you have checked Autocommand or shell command authorization set. not too sure i have to check that out.

But we should get something like "priv-lvl=15" in debugs rather than "cmd="

If you are doing this from console, then you need to have a hidden command applied,

"aaa authorization console"

But I would only recommend you this, once you make sure everything is working fine via telnet/ssh.

Regards,

Prem

amaiale Thu, 05/31/2007 - 11:54

Hi Prem,

Thank you for your reply. I appoligize for not getting back to you sooner. I was out-of-the-office.

The user settings are setup with all settings to come from their group settings. There are no seperate user settings.

The group is setup to have an unrestricted shell command auth set (permitting all unmatched commands).

Lastly, I am connecting through telnet to the router(s).

Please don't hesitate to ask if you need anything else.

Thanks for looking at this for me.

Tony

manufc Thu, 05/31/2007 - 23:18

Hi,

Here's my two penny's worth;

I would take off the "authorization" lines as these are only needed to authorize exec and commands:

no aaa authorization exec default group tacacs+ if-authenticated

no aaa authorization commands 15 default group tacacs+ if-authenticated

I would also remove the authentication enable line as this tells the device to authenticate enable mode access

no aaa authentication enable default group tacacs+ enable

And just test with the authentication login line, leave the accounting lines for now

I would double check the following in ACS:

Is the device in the right NDG?

Do you have Per Group Defined Network Access Restrictions defined for this device?

Is the user in the right group?

In the group settings, Check you have Shell(exec) enabled, Privilege level set to 15, and under Enable Options ensure you have the right Priv level defined, per device, per group etc.

Do you have either Shell Command Authorization Set or Per Group Command Authorization radio button selected?

If you have Shell Command Authorization Set for the group ensure you have Unmatched Commands Permit selected.

And authentication should be ok, then you can troubleshoot the authorization part...

Is this on an appliance or other operating system? My experience of the appliances are that they're pretty c**p, too many bugs and little things that don't work...

Just for info, you should have a last resort local username configured if ACS is down:

username priv 15 password

This will give you local access, and, if you find you have access issues as you have, you can remove the device from ACS, so it doesn't know about it, the device will try ACS not a get a response after the timeout period and prompt you for your username, enter your local password and you're in...

I hope this helps...

amaiale Fri, 06/01/2007 - 06:05

Hi and Thanks for your repsonse;

As I mentioned in my first email, everything is working, Authentication, Authorizarion and Accounting as it should. The only question that I have is how to prevent entering my TACACS password a second time when entering into "enable" mode.

Removing the commands that you mention will only cause me to have to enter the enable mode password (or secret) configured on the device itself.

The ACS group settings and user settings are in-line with your recommendations.

Lastly, I am using Cisco ACS 4.1 which is running on a Windows 2003 (virtual) server. Its not an appliance.

Thanks for taking the time to respond.

Tony

Premdeep Banga Fri, 06/01/2007 - 16:15

Hi Tony,

Can you please take screenshot of the group settings that your user is in, along with screenshot of your user configuration that you are testing, and sh run in a word file.

Regards,

Prem

premdeep.banga Mon, 06/04/2007 - 05:55

Hi,

In the screenshots being sent by you, I can see that you have "Shell(exec)" checked, but "Privilege level" is not.

Please check "Privilege level" and put 15 in the corresponding box as the value, Press "Submit + Restart", go back and make sure that the setting is still there and make sure that you have command,

aaa authorization exec default group tacacs+

or something similar to it.

And then try.

Regards,

Prem

Premdeep Banga Mon, 06/04/2007 - 05:57

Hi,

In the screen shots being sent by you, I can see that you have "Shell(exec)" checked, but "Privilege level" is not.

Please check "Privilege level" and put 15 in the corresponding box as the value, Press "Submit + Restart", go back and make sure that the setting is still there and make sure that you have command,

aaa authorization exec default group tacacs+

or something similar to it.

And then try.

Regards,

Prem

amaiale Mon, 06/04/2007 - 06:20

Hi Prem,

That works!!!

It takes me directly into enable mode without prompting me after initial login. When I do a show privilege, it shows that I am at level 15 too.

One last question, is there any way to set this up to prompt for enable mode so that the user must type enable; however, the enable password can be skipped or not required?? (that would provide just a little extra protection against someone accidentally doing something by mistake on the router)

If that is too involved to get into, we can leave things the way they are. At least I am not entering the password in twice.

Thanks again,

Tony

Jagdeep Gambhir Mon, 06/04/2007 - 06:54

Tony,

If you want that is should prompt for enable password then you need to take out priv 15 for the group you want should be prompted for enable password.

ACS----> Group setup--->Edit----> Jump to tacacs+---> shell-----> remove 15---> summit and restart.

Regards,

Premdeep Banga Mon, 06/04/2007 - 13:41

Hi Tony,

Glad to hear that it worked.

About the second part. Command Authorization would be the solution.

So that you can restrict helpdesk-users from attempting any configuration change.

And enabling you with privilege to run all commands. And as per your config on ACS, its is already configured in a way that you will have privilege to run all the commands.

Relevant commands,

aaa authorization command 0 default group tacacs+ none

aaa authorization command 1 default group tacacs+ none

aaa authorization command 15 default group tacacs+ none

Play with above command in test environment first, then apply them on production.

Regards,

Prem

Correct Answer
Premdeep Banga Mon, 06/04/2007 - 13:45

Hi Tony,

Do mark this thread as solved, so that others can benefit from it.

Thanks,

Prem

amaiale Tue, 06/05/2007 - 05:16

Prem,

Thank you again.

I greatly appreciate your help.

Tony

Actions

This Discussion