10-06-2008 01:04 PM - edited 03-10-2019 04:07 PM
Hi all,
I have a question: recently I set up ACS 4.2 and configured on aaa client. Everything was working fine until one day the ACS went off-line. I was able to authenticated with the local account and go in enable mode, but when I tried to see the configuration file or do config t, I got a message basically saying that I did not have the rights to do it. I have no idea why, the only thing I can think of is that I removed the enable password from the config and left only enable secret. Does that have anything to do with the issue I experienced?
Thank you in advance!
Cheers....
10-06-2008 01:17 PM
Mauricio
The symptoms that you describe sound more like a problem with the configuration of authorization. I doubt that it has anything to do with removing the enable password.
Perhaps you could post the aaa configuration (or perhaps even the complete router config) and that might help us to see that is the issue.
HTH
Rick
10-06-2008 01:22 PM
Hi Rick,
Here it's.
enable secret 5 XXXXXXXXX
!
username XXXXX password 7 XXXXXXX
aaa new-model
aaa authentication attempts login 5
aaa authentication login default group tacacs+ local enable
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common
tacacs-server host XXXXXXX
tacacs-server attempts 5
tacacs-server directed-request
tacacs-server key 7 XXXXXXX
line con 0
exec-timeout 20 0
password 7 XXXXXXXXXXXX
line vty 0 4
exec-timeout 20 0
password 7 XXXXXXXXXXXXXXXXXXXXX
10-07-2008 04:05 AM
Mauricio
Thanks for providing the additional information. It is not clear to me whether the problem is only about showing the config and about config t or whether it is affecting any command that requires privilege access. (I am guessing that it is any command requiring privilege access) Can you tell us whether other commands that require privilege access do work in that situation (for example can you clear counters on interfaces)?
I would suggest that perhaps you try changing this:
aaa authorization commands 15 default group tacacs+ local if-authenticated
and make it this:
aaa authorization commands 15 default group tacacs+ if-authenticated
HTH
Rick
10-13-2008 05:22 PM
Hi Rick,
I wanted to thank you for taking the time to help others and let you know what the problem was. The appliance was going onto a hang state, but not completely down, thus some aaa clients were still communicating with it and it wasn't letting me fully authenticated with the tacacs account or local account. In a nut shell is was a hardware issue.
10-14-2008 02:05 PM
Mauricio
Thank you for posting back to the thread and indicating that you have solved the problem and what the solution was. It makes the forum more useful when people can read a problem and can read and find what was the cause of the problem.
The forum is a good place to learn about Cisco networking. I encourage you to continue your participation in the forum.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide