cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
703
Views
0
Helpful
6
Replies

Possible To Only Have To Enter Password 1 time?

pugs17211721
Level 1
Level 1

I have configured some of our network devices to authenticate to our TACACS server. Some of the network engineers have asked me to see if I can come up with a way that they don't have to type in their password twice on the network devices. I saw a different thread,

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dde9bc0

and I followed what was stated in their, however I still have to type in my password twice. I have made sure that they shell privilege level is set for 15. Anyone have any ideas?

Attached is the related router config.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

tacacs-server host 172.20.62.208

tacacs-server host 172.20.62.191

tacacs-server key 7 <omitted>

Thanks for the help.

6 Replies 6

somishra
Cisco Employee
Cisco Employee

Remove the command -

aaa authentication enable default group tacacs+ enable

Hope this helps,

Soumya

If I do a

no aaa authentication enable default group tacacs+ enable

then when I try to sign in, I get NBOH-2940-001-IS>en

Password:

% Access denied

I have attached a screenshot of the ACS server.

First of all, if you have exec command and shell priv option checked you should be in # prompt, you should not be following in user> mode. Please send the following debugs when trying authentication.

-debug aaa authentication

-debug aaa authorization

-debug tacacs

Thanks

Parminder

Hi ,

What is the IOS ver you have on the box. Please make sure that the attachment is from tacacs 172.20.62.208 and not the other one.

Make sure that you are a part of that group on which changes has been made. Also check if you have anything set at user level ?

Regards,

~JG

parmsing
Cisco Employee
Cisco Employee

Hi,

As you already have aaa authorization exec command in place, You only have to enable the privilev level field under Tacacs+ settings on group and mention 15 as privilege there and that should do it.

I have attached screen shoot for your reference.

Thanks

Parminder

Jagdeep Gambhir
Level 10
Level 10

HI,

No need to do enable authentication.

Please take that out and it will work fine.

Regards,

~JG

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: