Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
459
Views
4
Helpful
5
Replies

en pass and en secret with AAA authentication

mguzman4158
Level 1
Level 1

‎10-06-2008 01:04 PM - edited ‎03-10-2019 04:07 PM

Hi all,

I have a question: recently I set up ACS 4.2 and configured on aaa client. Everything was working fine until one day the ACS went off-line. I was able to authenticated with the local account and go in enable mode, but when I tried to see the configuration file or do config t, I got a message basically saying that I did not have the rights to do it. I have no idea why, the only thing I can think of is that I removed the enable password from the config and left only enable secret. Does that have anything to do with the issue I experienced?

Thank you in advance!

Cheers....

Labels:
0 Helpful
5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

‎10-06-2008 01:17 PM

Mauricio

The symptoms that you describe sound more like a problem with the configuration of authorization. I doubt that it has anything to do with removing the enable password.

Perhaps you could post the aaa configuration (or perhaps even the complete router config) and that might help us to see that is the issue.

HTH

Rick

HTH

Rick
0 Helpful

mguzman4158
Level 1
Level 1
In response to Richard Burts

‎10-06-2008 01:22 PM

Hi Rick,

Here it's.

enable secret 5 XXXXXXXXX

!

username XXXXX password 7 XXXXXXX

aaa new-model

aaa authentication attempts login 5

aaa authentication login default group tacacs+ local enable

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

aaa session-id common

tacacs-server host XXXXXXX

tacacs-server attempts 5

tacacs-server directed-request

tacacs-server key 7 XXXXXXX

line con 0

exec-timeout 20 0

password 7 XXXXXXXXXXXX

line vty 0 4

exec-timeout 20 0

password 7 XXXXXXXXXXXXXXXXXXXXX

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to mguzman4158

‎10-07-2008 04:05 AM

Mauricio

Thanks for providing the additional information. It is not clear to me whether the problem is only about showing the config and about config t or whether it is affecting any command that requires privilege access. (I am guessing that it is any command requiring privilege access) Can you tell us whether other commands that require privilege access do work in that situation (for example can you clear counters on interfaces)?

I would suggest that perhaps you try changing this:

aaa authorization commands 15 default group tacacs+ local if-authenticated

and make it this:

aaa authorization commands 15 default group tacacs+ if-authenticated

HTH

Rick

HTH

Rick

mguzman4158
Level 1
Level 1
In response to Richard Burts

‎10-13-2008 05:22 PM

Hi Rick,

I wanted to thank you for taking the time to help others and let you know what the problem was. The appliance was going onto a hang state, but not completely down, thus some aaa clients were still communicating with it and it wasn't letting me fully authenticated with the tacacs account or local account. In a nut shell is was a hardware issue.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to mguzman4158

‎10-14-2008 02:05 PM

Mauricio

Thank you for posting back to the thread and indicating that you have solved the problem and what the solution was. It makes the forum more useful when people can read a problem and can read and find what was the cause of the problem.

The forum is a good place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents