IOS 12.4 enable authetication TACACs+ failing on $enab15$!!

Unanswered Question
Aug 9th, 2007

Hi,

We have cisco router IOS 12.4 setup for

AAA authetication login default TACACs+...telnet login works fine ...with the TACACS+user...we also haev aaa authetication enable default TACACs+ configured and allowed cisco pap password for user...now when the authenticated TACACs user tries to enable ...authetication error happens ..and the logs /debug +acs 3.2(T+ server) show unknown user $enab15$...can anyone suggest as to why this happening when the user shown shud be the same user who had gone into usermode and now was trying enable...pointers appreciated

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
maheshbalasub75 Thu, 08/09/2007 - 07:22

Hi thanks for that ...we are in a severly change/release controlled environ ...does that mean it is a bug!..we have another IOS 12.4(13) ..it works fine ...that is strange ,is it supposed to behave this way ..is there any workaround

Thanks

Premdeep Banga Thu, 08/09/2007 - 07:27

CSCsh76038 & CSCin98780, check their details,

work around that i can suggest is to skip the enable authentication and go directly to privileged exec mode using command,

aaa authorization exec default group tacacs+ local

And specify the privilege level on ACS i.e. check "Shell" and "Privilege Level" with value of the privilege like 2, 15 etc.

Regards,

Prem

maheshbalasub75 Thu, 08/09/2007 - 07:28

Just adding is there an cisco BID equivalent listed somewhere for justifying this ???

Appreciate help

maheshbalasub75 Thu, 08/09/2007 - 07:41

Yikes we have usergroups and device groups routers mapped with appropriate privilges ..works fine for all but ...how do we workaround now ???

Thanks

Premdeep Banga Thu, 08/09/2007 - 15:28

Get an insight by an expert.

I wont suggest you anything at this point, as it would require to have your topology details, and if you cannot go to the fixed version as stated by bug, and some are working and some are not.

I think, someone needs to understand the whole situation in depth, before going for any kind of work around.

Regards,

Prem

Actions

This Discussion