en pass and en secret with AAA authentication

Unanswered Question
Oct 6th, 2008
User Badges:

Hi all,


I have a question: recently I set up ACS 4.2 and configured on aaa client. Everything was working fine until one day the ACS went off-line. I was able to authenticated with the local account and go in enable mode, but when I tried to see the configuration file or do config t, I got a message basically saying that I did not have the rights to do it. I have no idea why, the only thing I can think of is that I removed the enable password from the config and left only enable secret. Does that have anything to do with the issue I experienced?


Thank you in advance!

Cheers....

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Richard Burts Mon, 10/06/2008 - 13:17
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mauricio


The symptoms that you describe sound more like a problem with the configuration of authorization. I doubt that it has anything to do with removing the enable password.


Perhaps you could post the aaa configuration (or perhaps even the complete router config) and that might help us to see that is the issue.


HTH


Rick

mguzman4158 Mon, 10/06/2008 - 13:22
User Badges:

Hi Rick,


Here it's.


enable secret 5 XXXXXXXXX

!

username XXXXX password 7 XXXXXXX

aaa new-model

aaa authentication attempts login 5

aaa authentication login default group tacacs+ local enable

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

aaa session-id common


tacacs-server host XXXXXXX

tacacs-server attempts 5

tacacs-server directed-request

tacacs-server key 7 XXXXXXX


line con 0

exec-timeout 20 0

password 7 XXXXXXXXXXXX

line vty 0 4

exec-timeout 20 0

password 7 XXXXXXXXXXXXXXXXXXXXX

Richard Burts Tue, 10/07/2008 - 04:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mauricio


Thanks for providing the additional information. It is not clear to me whether the problem is only about showing the config and about config t or whether it is affecting any command that requires privilege access. (I am guessing that it is any command requiring privilege access) Can you tell us whether other commands that require privilege access do work in that situation (for example can you clear counters on interfaces)?


I would suggest that perhaps you try changing this:

aaa authorization commands 15 default group tacacs+ local if-authenticated

and make it this:

aaa authorization commands 15 default group tacacs+ if-authenticated


HTH


Rick

mguzman4158 Mon, 10/13/2008 - 17:22
User Badges:

Hi Rick,

I wanted to thank you for taking the time to help others and let you know what the problem was. The appliance was going onto a hang state, but not completely down, thus some aaa clients were still communicating with it and it wasn't letting me fully authenticated with the tacacs account or local account. In a nut shell is was a hardware issue.


Richard Burts Tue, 10/14/2008 - 14:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mauricio


Thank you for posting back to the thread and indicating that you have solved the problem and what the solution was. It makes the forum more useful when people can read a problem and can read and find what was the cause of the problem.


The forum is a good place to learn about Cisco networking. I encourage you to continue your participation in the forum.


HTH


Rick

Actions

This Discussion