Log into Device with AAA, how do I get right into enable mode?

Unanswered Question
Oct 11th, 2007
User Badges:

I am using a Cisco ACS server with an RSA server behind it. When the user is authenticated from the ACS server, I want them to go straight into enable mode, not have to type the enable mode password. What line am I missing?



aaa authentication login ACS group ACS_servers local enable

aaa authorization exec ACS group ACS_servers local

aaa authorization commands 15 ACS group ACS_servers local

aaa accounting commands 1 default start-stop group ACS_servers

aaa accounting commands 15 default start-stop group ACS_servers


line vty 0 5

login authentication ACS

authorization commmands 15 ACS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jagdeep Gambhir Thu, 10/11/2007 - 14:39
User Badges:
  • Red, 2250 points or more

Hi,


Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field



Regards,

~JG


Please rate helpful posts


mdcarey15 Fri, 10/12/2007 - 08:27
User Badges:

Unfortunately, that still did not work, it authenticates me, but puts at the router> prompt.



aaa authentication login default line

aaa authentication login ACS group ACS_servers local enable

aaa authorization exec ACS group ACS_servers local

aaa authorization commands 15 ACS group ACS_servers local

aaa accounting commands 1 default start-stop group ACS_servers

aaa accounting commands 15 default start-stop group ACS_servers


line vty 1

access-class 1 in

exec-timeout 60 0

ipv6 access-class IPv6-VTY-Access in

authorization commands 15 ACS

login authentication ACS



Jagdeep Gambhir Fri, 10/12/2007 - 08:36
User Badges:
  • Red, 2250 points or more

Are you login via console or telnet ? Please send me complete running config.


Also try it with plain vanilla config and see how it works,


aaa authentication login default group tacacs local

aaa authorization exec default group tacacs if-authenticated



If it works then there is some issue with server or group name.

mdcarey15 Fri, 10/12/2007 - 08:43
User Badges:

I forgot the line in my vty line config:


authorization exec ACS

Richard Burts Sat, 10/13/2007 - 11:18
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Michael


The question from Jagdeep about whether you are logging in on console of by telnet is actually quite significant. Going directly to enable mode is a function of authorization and by default Cisco does not do authorization on the console. So login on the console would not go directly to enable (unless you had configured privilege level 15 on the console).


So are you logging in on the console or on vty?


HTH


Rick

mdcarey15 Mon, 10/15/2007 - 07:58
User Badges:

The configuration in question is for telnet, but I do need to design my new console access connection. Console access would be either remotely or on-site, but I don't feel comfortable giving priv 15 right into it. I plan to use the same authentication method on the console (ACS group 1st, local database 2nd) and will just have to enter the enable password through the console.


One more question on the aaa config, I kept getting this error in the log:


AAA/AUTHOR: config command authorization not enabled


So I added:


aaa authorization config-commands


I don't know if it was needed because I could still execute config-commands, but it kept giving me that warning if I didn't have that line.


Also, do I really need this line if the ACS server is taking care of priv 15 authorization:



aaa authorization commands 15 ACS if-authenticated


Jagdeep Gambhir Mon, 10/15/2007 - 08:20
User Badges:
  • Red, 2250 points or more

By default console authorization is disabled , so it should ask you for enable password from console.


However if you want to login straight to emable mode from console then you need to issue this hidden command,


aaa authorization console

=================================


aaa authorization config-commands


Above command checks the authorization for commands that are executed in config mode.


Yes, you should have that command,


aaa autho command 15 ----> Checks command with priv 15 ONLY on Enable mode. It is not checking config t commands.


Regards,

~JG

Actions

This Discussion