enable Mode authentication

Unanswered Question
May 12th, 2008
User Badges:

I am not able to configure the enable mode authentication, I have set the ACS user password in Tacac+option tab.


and configure the device for enable mode authentication


aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacasc+

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands


aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+



But still after login user only able to enter in enable mode by giving locally configured password, not the password that configured in ACS.


Please help me out how to configure the device that both login and enable authentication controlled by ACS.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Jagdeep Gambhir Mon, 05/12/2008 - 16:29
User Badges:
  • Red, 2250 points or more

Wasim ,

This is what you need to to do.


Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field



Regards,

~JG


Do rate helpful posts

wasiimcisco Tue, 05/13/2008 - 03:37
User Badges:

Thanks for the reply,


I did the same thing that u asked me to do, but now user is directly going to the privilage mode, no enable authenication required and no requiring any enable password.


Though i have set the enable password in ACS user TACACS+ Enable Password.


But device is not requiring any password for enable mode. below mention is the command that i configured on the device.


aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacasc+

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands


aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+


Jagdeep Gambhir Tue, 05/13/2008 - 04:40
User Badges:
  • Red, 2250 points or more

Please get debug tacacs and debug aaa authentication output.

wasiimcisco Wed, 05/14/2008 - 00:59
User Badges:

Kindly see attachement for debug of my device.


I applied the same configuration that you sent me and turn on the debug


debug aaa authentication

debug tacacs


but still the user is not requiring any enable password, only login username and password required.



PDC-Srv-3750-1#sh debug

General OS:

TACACS+ authentication debugging is on

AAA Authentication debugging is on

PDC-Srv-3750-1#




Attachment: 
Jagdeep Gambhir Wed, 05/14/2008 - 05:12
User Badges:
  • Red, 2250 points or more

Do we have tacacs single connect enabled on acs ?


Normally if the command authorization fails due to ACS misconfig - its says

"% Command Authorization Failed".


It is a known behavior that the IOS sometimes sends requests with wrong source IP when we are using tacacs single-connect option. And since it is sending the wrong source IP, first of all ACS doesn't recognize this IP.


And we do not want directed-request either.


ACTION PLAN:

Please disable the single-connect option and change the config to:

no tacacs-server host x.x.x.x single-connection

no tacacs-server directed-request

no tacacs-server key 7 06260D2A1F575D392653

tacacs-server host x.x.x.x key 7 06260D2A1F5

ip tacacs source-interface Loopback0


Define source interface for tacacs authentication.


On router issue command,

ip tacacs source-interface fastethernet x/y , where interface would be the one mentioned in tacacs server.


If still issue is there then pls send full running config along with following debug


debug aaa authen

debug aaa author

debug tacacs



Regards,

~JG

wasiimcisco Mon, 05/19/2008 - 03:24
User Badges:

sorry for the late reply, i was busy in other stuff, regarding cisco catalyst switches command authorization is working, but for cisco pix firewall, it is not working,


I wanted to apply the same command set for junior admin of firewall, that i m using for switches, but it is not working for me.


firewall only allowing full access to admin, but not allowing junior to do anything, not even show,


I have atacched the screen shots for your review and firewall aaa configuration,



TDC-INT-525-01> enable

Command authorization failed

TDC-INT-525-01> show aaa

^

ERROR: % Invalid input detected at '^' marker.

TDC-INT-525-01> show xlate

^

ERROR: % Invalid input detected at '^' marker.

TDC-INT-525-01> enable

Command authorization failed

TDC-INT-525-01>







aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (edn) host 172.28.31.132

aaa-server TACACS+ (edn) host 172.28.31.133

aaa authentication ssh console TACACS+ LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+

aaa accounting command privilege 15 TACACS+

aaa accounting enable console TACACS+



Jagdeep Gambhir Mon, 05/19/2008 - 07:20
User Badges:
  • Red, 2250 points or more

Wasim,

I don't see enable keyword defined in the command authorization set.


Please add "enable" along with show and clear in the "command authorization setup".


That should fix it.


Regards,

~JG


wasiimcisco Mon, 05/19/2008 - 10:24
User Badges:

thanks for the help, it works like a magic, now i am able to restrict the users,

wasiimcisco Tue, 05/20/2008 - 05:07
User Badges:

I have pix 535, i want to configure it for ACS authentication, but problem is that, users tries to login from inside interface and ACS located on outside interface of pix firewall.


I have configured the following commands but still not able to get the authentication,



aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 172.28.31.132 waridtel0321

aaa-server TACACS+ (inside) host 172.28.31.133 waridtel0321

aaa authentication ssh console TACACS+ LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+

aaa accounting command privilege 15 TACACS+

aaa accounting enable console TACACS+


same configuration is working fine for me with rest of the firewalls of my network bcz ACS and users are located on the same interface side, only this firewall is having problem.


Firewall is not having any thing like source interface like routers have.


Please help me out.



Actions

This Discussion