TACACS enable

Unanswered Question

To all R&S expert,


I have a customer which wants their TACACS server to authenticate for both 'lgoin' as well as 'enable'. However, doesn't matter what they do, they get prompt for the username and password twice. However, they want to be prompt for both username + password once during 'login', but when they press enable, they only want the password to be prompt, but not the username again.


Currently they have the following config on their Cat 6513


aaa authentication password-prompt "Backup-password: "

aaa authentication username-prompt "Backup-username: "

aaa authentication login default group tacacs_group local

aaa authentication enable default group tacacs_group enable


And they currently see the following when login and enable


==================================================

!!! NO UNAUTHORIZED ACCESS !!!

Access to this device or the attached networks

without explicit written permission is prohibited

and will be prosecuted.

==================================================


Username: ibm

Password:


MPELZ21CS01>en


User Access Verification


Username: ibm

Password:

MPELZ21CS01#



I have spent a great amount of time on this already but couldn't figured out why. Would appreciated anyone's help.


Cheers,

Hunt

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Thu, 09/04/2008 - 18:59

have you looked at the settings on their ACS server?

what version of software on the switch and tacacs server?

Calin Chiorean Thu, 09/04/2008 - 23:30

Hi!


I understand that you want something like this:


---didi is the name of the c6500 where I'm doing ssh-----

"

ssh didi -l john

[email protected]'s password: ******

didi>ena

Password: ******

didi#

"

Then please try the sample config below:


aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

aaa session-id common

!

tacacs-server host xxx.xxx.xxx.xxx

tacacs-server directed-request

tacacs-server key *******

!

line vty 0 4

exec-timeout 30 0

logging synchronous

transport preferred ssh

transport input ssh


The rest of the config is done on ACS server.

If you have the possibility try it and tell me if it is working!


Cheers,

Calin

Calin Chiorean Thu, 09/04/2008 - 23:37

Btw, if you want that the user to be authenticated directly to enable (privilege 15)

use the additional line below under "aaa new-model"

aaa authorization exec default group tacacs+ if-authenticated


Good luck!


Calin

Actions

This Discussion