Log into Device with AAA, how do I get right into enable mode?

mdcarey15 · ‎10-11-2007

I am using a Cisco ACS server with an RSA server behind it. When the user is authenticated from the ACS server, I want them to go straight into enable mode, not have to type the enable mode password. What line am I missing?

aaa authentication login ACS group ACS_servers local enable

aaa authorization exec ACS group ACS_servers local

aaa authorization commands 15 ACS group ACS_servers local

aaa accounting commands 1 default start-stop group ACS_servers

aaa accounting commands 15 default start-stop group ACS_servers

line vty 0 5

login authentication ACS

authorization commmands 15 ACS

Jagdeep Gambhir · ‎10-11-2007

Hi,

Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

Regards,

~JG

Please rate helpful posts

mdcarey15 · ‎10-12-2007

Unfortunately, that still did not work, it authenticates me, but puts at the router> prompt.

aaa authentication login default line

aaa authentication login ACS group ACS_servers local enable

aaa authorization exec ACS group ACS_servers local

aaa authorization commands 15 ACS group ACS_servers local

aaa accounting commands 1 default start-stop group ACS_servers

aaa accounting commands 15 default start-stop group ACS_servers

line vty 1

access-class 1 in

exec-timeout 60 0

ipv6 access-class IPv6-VTY-Access in

authorization commands 15 ACS

login authentication ACS

Jagdeep Gambhir · ‎10-12-2007

Are you login via console or telnet ? Please send me complete running config.

Also try it with plain vanilla config and see how it works,

aaa authentication login default group tacacs local

aaa authorization exec default group tacacs if-authenticated

If it works then there is some issue with server or group name.

mdcarey15 · ‎10-12-2007

I forgot the line in my vty line config:

authorization exec ACS

Richard Burts · ‎10-13-2007

Michael

The question from Jagdeep about whether you are logging in on console of by telnet is actually quite significant. Going directly to enable mode is a function of authorization and by default Cisco does not do authorization on the console. So login on the console would not go directly to enable (unless you had configured privilege level 15 on the console).

So are you logging in on the console or on vty?

HTH

Rick

HTH

Rick

mdcarey15 · ‎10-15-2007

The configuration in question is for telnet, but I do need to design my new console access connection. Console access would be either remotely or on-site, but I don't feel comfortable giving priv 15 right into it. I plan to use the same authentication method on the console (ACS group 1st, local database 2nd) and will just have to enter the enable password through the console.

One more question on the aaa config, I kept getting this error in the log:

AAA/AUTHOR: config command authorization not enabled

So I added:

aaa authorization config-commands

I don't know if it was needed because I could still execute config-commands, but it kept giving me that warning if I didn't have that line.

Also, do I really need this line if the ACS server is taking care of priv 15 authorization:

aaa authorization commands 15 ACS if-authenticated

Jagdeep Gambhir · ‎10-15-2007

By default console authorization is disabled , so it should ask you for enable password from console.

However if you want to login straight to emable mode from console then you need to issue this hidden command,

aaa authorization console

=================================

aaa authorization config-commands

Above command checks the authorization for commands that are executed in config mode.

Yes, you should have that command,

aaa autho command 15 ----> Checks command with priv 15 ONLY on Enable mode. It is not checking config t commands.

Regards,

~JG