TACACS+ ACS 3.3, PRIV 15 <enable mode> direct login

Unanswered Question
Aug 20th, 2008

Hi,


I want to create a user with priv 15 that can login directly to the enable mode prompt from any AAA client.


Currently, the user logs in to the device then has to authenticate a second time (same PAP password) to gain priv 15.


Is a direct login possible?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Collin Clark Wed, 08/20/2008 - 06:41

Router# config t

Router# line vty 0 4

Router(int-config)#privilege level 15


Hope that helps.

Farrukh Haroon Wed, 08/20/2008 - 06:52

You can assign privlege level 15 for all users by applying the solution given by Colin.


Alternatively you can set the privilege level 15 via either TACACS or RADIUS.


aaa authorization exec VTY group ...


Regards


Farrukh

cgravell Wed, 08/20/2008 - 09:34

Thanks for tips.


The group that you speak of Farrukh - is this the same group that i create on the ACS?


I create one user and put it in one group on ACS platform - for RANCID backup of config files.


If I add the line that you suggest to the devices, - then anyone in that group will go straight to enable mode at login? This is the way that I want to do it...


Cheers,


Chris

Farrukh Haroon Wed, 08/20/2008 - 10:33

Yup they will go straight to enable mode. If you need help in configuring it just let me know the protocol you are using (TAC/RAD) and I would be glad to help.


Regards


Farrukh

cgravell Wed, 08/20/2008 - 12:59

Hi Farrukh,


So that you are clear about what I want to do:


I work for an ISP that has just merged with another.


1st ISP uses RADIUS and collects configs via RANCID for its AS.


2nd ISP uses TACACS+ CSACS 3.3 and doesn't use

RANCID to collect configs.


So, I create a user and group on CSACS - same user, password as RADIUS for CSACS in the 2nd ISP.


I want to use that user in AS1 to collect configs from AS2 as well.


But in AS2 CSACS TACACS+ won't let me do that in the web-based config.


So, if it is an AAA client config change that is required - let me know what i should put in!


I'll try tomorrow what you suggest, but if you have anything to add it would be interesting to know (I am studying for R&S and SP CCIE presently ;-)).


Cheers,


Chris


cgravell Wed, 08/20/2008 - 13:04

Hi Farrukh,


So that you are clear about what I want to do:


I work for an ISP that has just merged with another.


1st ISP uses RADIUS and collects configs via RANCID for its AS.


2nd ISP uses TACACS+ CSACS 3.3 and doesn't use

RANCID to collect configs.


So, I create a user and group on CSACS - same user, password as RADIUS for CSACS in the 2nd ISP.


I want to use that user in AS1 to collect configs from AS2 as well.


But in AS2 CSACS TACACS+ won't let me do that in the web-based config.


So, if it is an AAA client config change that is required - let me know what i should put in!


I'll try tomorrow what you suggest, but if you have anything to add it would be interesting to know (I am studying for R&S and SP CCIE presently ;-)).


Cheers,


Chris


ashbyk Thu, 03/18/2010 - 13:11

Farrukh....


I'm trying to do this as well and haven't gotten it work yet.  I'd like a singler user to access enable mode directly via their tacacs+ account.  Please provide the ACS setup to do this, and also the config lines needed in the network device.


Thanks!

Jagdeep Gambhir Thu, 03/18/2010 - 13:20

Hi ,


Here are the IOS commands,


Router(config)# username [username] password [password]
        tacacs-server host [ip]
        tacacs-server key [key]
        aaa new-model
        aaa authentication login default group tacacs+ local
        aaa authorization exec default group tacacs+ if-authenticated



Bring users or group at level 15
    1.  Go to user or group setup in ACS
    2.  Drop down to "TACACS+ Settings"
    3.  Place a check in "Shell (Exec)"
    4.  Place a check in "Privilege level" and enter "15" in the adjacent field



Regards,

~JG


Do rate helpful posts!

Actions

This Discussion