RSA SecurID and Cisco ACS integration for user(s) with enable mode

Unanswered Question
May 31st, 2008

I thought I had this problem figured out but I guess not.

I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the

router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.

I use tacacs+ authentication for logging into the Cisco router

such as telnet and ssh. In the ACS I use "external user databases"

for authentication which proxy the request from the ACS over

to the RSA SecurID Server. I installed RSA Agents with

sdconf.rec file on the Cisco ACS server. I renamed "user group 1"

to be "RSA_SecurID" group. In the "External user databases" and

"database configurations" I assign SecurID to this "RSA_SecurID"


Everything is working fine. In the "User Setup" I can see dynamic

user test1, test2,...testn listed in there as "dynamic users". In

other words, I can telnet into the router with my two-factor


The problem is that if test1 wants to go into "enable" mode with

SecurID login, I have to go into "test1" user setting and select

"TACACS+Enable Password" and choose "Use external database password".

After that, test1 can go into enable mode with his/her SecurID


Well, this works fine if I have a few users. The problem is that

I have about 100 users that I need to do this. The solution is

clearly not scalable. Is there a setting from group level that

I can do this?

Any ACS "experts" want to help me out here? Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dmitry Sun, 06/01/2008 - 11:33

sure there is, in the group config, TACACS+ Settings section check Shell(exec) and Privilege level boxes, in the field next to the Privilege level type in 15.

Then in Shell Command Authorization either select a shared auth profile (if defined) or to allow the execution of all commands check Per Group Command Authorization and Permit.

This will give level 15 to all the users who are the members of this group upon entering just username / PASSCODE, no enable required. This does not work with ASAs (at least I have not figured out the authorizzation sesstings in ASA), so with ASA after entering the user /PASSCODE you have to wait for the next token code to enter enable

cisco24x7 Sun, 06/01/2008 - 14:40

That is not what I want. I want user "test1" to be able to do this:



Username: test1





In other words, test1 user has to type in his/her RSA token password to get

into exec mode. After that, he/she has to use the RSA token password to

get into enable mode. Each user can get into "enable" mode with his/her

RSA token mode.

The way you descripbed, it seemed like anyone in this group can go directly

into enable mode without password. This is not what I have in mind.

Any other ideas? Thanks.

cisco24x7 Mon, 06/02/2008 - 17:15

Excluding RDBMS, are there workarounds for

this? RDBMS is too cumbersome.

I am suprised a complex piece of software

like Cisco ACS does not offer this feature.


This Discussion