09-04-2008 05:58 PM - edited 03-06-2019 01:11 AM
To all R&S expert,
I have a customer which wants their TACACS server to authenticate for both 'lgoin' as well as 'enable'. However, doesn't matter what they do, they get prompt for the username and password twice. However, they want to be prompt for both username + password once during 'login', but when they press enable, they only want the password to be prompt, but not the username again.
Currently they have the following config on their Cat 6513
aaa authentication password-prompt "Backup-password: "
aaa authentication username-prompt "Backup-username: "
aaa authentication login default group tacacs_group local
aaa authentication enable default group tacacs_group enable
And they currently see the following when login and enable
==================================================
!!! NO UNAUTHORIZED ACCESS !!!
Access to this device or the attached networks
without explicit written permission is prohibited
and will be prosecuted.
==================================================
Username: ibm
Password:
MPELZ21CS01>en
User Access Verification
Username: ibm
Password:
MPELZ21CS01#
I have spent a great amount of time on this already but couldn't figured out why. Would appreciated anyone's help.
Cheers,
Hunt
09-04-2008 06:59 PM
have you looked at the settings on their ACS server?
what version of software on the switch and tacacs server?
09-04-2008 07:38 PM
Cat 6513 IOS version = 12.2(33)SXH3 (s72033-ipservicesk9_wan-mz.122-33.SXH3.bin)
ACS version = v4.1
What settings in particular that I should check inside the ACS server??
Thanks,
Hunt
09-04-2008 11:30 PM
Hi!
I understand that you want something like this:
---didi is the name of the c6500 where I'm doing ssh-----
"
ssh didi -l john
john@didi's password: ******
didi>ena
Password: ******
didi#
"
Then please try the sample config below:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common
!
tacacs-server host xxx.xxx.xxx.xxx
tacacs-server directed-request
tacacs-server key *******
!
line vty 0 4
exec-timeout 30 0
logging synchronous
transport preferred ssh
transport input ssh
The rest of the config is done on ACS server.
If you have the possibility try it and tell me if it is working!
Cheers,
Calin
09-04-2008 11:37 PM
Btw, if you want that the user to be authenticated directly to enable (privilege 15)
use the additional line below under "aaa new-model"
aaa authorization exec default group tacacs+ if-authenticated
Good luck!
Calin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: