TACACS enable

Unanswered Question

To all R&S expert,

I have a customer which wants their TACACS server to authenticate for both 'lgoin' as well as 'enable'. However, doesn't matter what they do, they get prompt for the username and password twice. However, they want to be prompt for both username + password once during 'login', but when they press enable, they only want the password to be prompt, but not the username again.

Currently they have the following config on their Cat 6513

aaa authentication password-prompt "Backup-password: "

aaa authentication username-prompt "Backup-username: "

aaa authentication login default group tacacs_group local

aaa authentication enable default group tacacs_group enable

And they currently see the following when login and enable



Access to this device or the attached networks

without explicit written permission is prohibited

and will be prosecuted.


Username: ibm



User Access Verification

Username: ibm



I have spent a great amount of time on this already but couldn't figured out why. Would appreciated anyone's help.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Thu, 09/04/2008 - 18:59
User Badges:
  • Blue, 1500 points or more

have you looked at the settings on their ACS server?

what version of software on the switch and tacacs server?

Calin Chiorean Thu, 09/04/2008 - 23:30
User Badges:
  • Silver, 250 points or more


I understand that you want something like this:

---didi is the name of the c6500 where I'm doing ssh-----


ssh didi -l john

[email protected]'s password: ******


Password: ******



Then please try the sample config below:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+


aaa session-id common


tacacs-server host xxx.xxx.xxx.xxx

tacacs-server directed-request

tacacs-server key *******


line vty 0 4

exec-timeout 30 0

logging synchronous

transport preferred ssh

transport input ssh

The rest of the config is done on ACS server.

If you have the possibility try it and tell me if it is working!



Calin Chiorean Thu, 09/04/2008 - 23:37
User Badges:
  • Silver, 250 points or more

Btw, if you want that the user to be authenticated directly to enable (privilege 15)

use the additional line below under "aaa new-model"

aaa authorization exec default group tacacs+ if-authenticated

Good luck!



This Discussion