cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
403
Views
0
Helpful
4
Replies

TACACS enable

huntlee
Level 1
Level 1

To all R&S expert,

I have a customer which wants their TACACS server to authenticate for both 'lgoin' as well as 'enable'. However, doesn't matter what they do, they get prompt for the username and password twice. However, they want to be prompt for both username + password once during 'login', but when they press enable, they only want the password to be prompt, but not the username again.

Currently they have the following config on their Cat 6513

aaa authentication password-prompt "Backup-password: "

aaa authentication username-prompt "Backup-username: "

aaa authentication login default group tacacs_group local

aaa authentication enable default group tacacs_group enable

And they currently see the following when login and enable

==================================================

!!! NO UNAUTHORIZED ACCESS !!!

Access to this device or the attached networks

without explicit written permission is prohibited

and will be prosecuted.

==================================================

Username: ibm

Password:

MPELZ21CS01>en

User Access Verification

Username: ibm

Password:

MPELZ21CS01#

I have spent a great amount of time on this already but couldn't figured out why. Would appreciated anyone's help.

Cheers,

Hunt

4 Replies 4

srue
Level 7
Level 7

have you looked at the settings on their ACS server?

what version of software on the switch and tacacs server?

Cat 6513 IOS version = 12.2(33)SXH3 (s72033-ipservicesk9_wan-mz.122-33.SXH3.bin)

ACS version = v4.1

What settings in particular that I should check inside the ACS server??

Thanks,

Hunt

Calin C.
Level 5
Level 5

Hi!

I understand that you want something like this:

---didi is the name of the c6500 where I'm doing ssh-----

"

ssh didi -l john

john@didi's password: ******

didi>ena

Password: ******

didi#

"

Then please try the sample config below:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

aaa session-id common

!

tacacs-server host xxx.xxx.xxx.xxx

tacacs-server directed-request

tacacs-server key *******

!

line vty 0 4

exec-timeout 30 0

logging synchronous

transport preferred ssh

transport input ssh

The rest of the config is done on ACS server.

If you have the possibility try it and tell me if it is working!

Cheers,

Calin

Btw, if you want that the user to be authenticated directly to enable (privilege 15)

use the additional line below under "aaa new-model"

aaa authorization exec default group tacacs+ if-authenticated

Good luck!

Calin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: