Cisco 6509-E and AAA

Unanswered Question
Apr 23rd, 2009
User Badges:

The following is the existing AAA config on my 6509 switch:

aaa new-model

aaa authentication login default group tacacs+

aaa authentication enable default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

This works except for the fact that when enable command is issued, it prompts for username again after the initial username. See below:


User Access Verification

Username: xxxxxxx

Password:


6509>en


User Access Verification


Username: xxxxxxxx

Password:

6509#


Does anyone know what may be causing this and how it can be solved.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
davy.timmermans Thu, 04/23/2009 - 02:10
User Badges:
  • Silver, 250 points or more

no aaa authentication enable default group tacacs+


A default authentication is defined for enable which overrides the enable secret


HTH




stephen.sanyaol... Thu, 04/23/2009 - 02:31
User Badges:

I have apllied the following:

no aaa authentication enable default group tacacs+


See what I have:

Username: xxxxxx

Password:


6509>en

Password:

% Access denied


I still want to use tacacs+ for my priviledge password for the enable command. This is the way it works for all other devices (routers and switches) on my network except the newly deployed 6509-E

stephen.sanyaol... Thu, 04/23/2009 - 04:40
User Badges:

I just got this from cisco documentation:

CSCsu21040 -- AAA Enable authentication prompts for username/password instead of just password


The caveats was solved in Release 12.2(33)SXH4



Giuseppe Larosa Thu, 04/23/2009 - 05:21
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Stephen,

with the following config it works well for us


sh run | inc aaa

aaa new-model

aaa authentication login ACS group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa accounting update newinfo

aaa accounting exec ACS start-stop group tacacs+

aaa accounting commands 1 ACS start-stop group tacacs+

aaa accounting commands 15 ACS start-stop group tacacs+

aaa session-id common


sh ver | inc image

System image file is "disk0:s72033-advipservicesk9_wan-mz.122-33.SXH2.bin"


Hope to help

Giuseppe



stephen.sanyaol... Thu, 04/23/2009 - 05:37
User Badges:

Hello,


This is similar to my config:

aaa authentication login default group tacacs+

aaa authentication enable default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+


The only differenet here is that you used the word option - ACS instead of using default and in your case applied login authentication ACS under line vty 0 15.


It is interesting though that you said it is working for you without bringing the second username --- which is the main issue here.


This is caused by the bug CSCsu21040. From Cisco documentation, the description given to the bug is AAA Enable authentication prompts for username/password instead of just password. This caveats was solved in release 12.2(33) SXH4


Search for CSCsu21040 from:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.pdf



Giuseppe Larosa Thu, 04/30/2009 - 07:02
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Stephen,

I see in the list of affected versions that also our release should be affected.


Probably some of our additional commands like


aaa session-id common


are a workaround for this


yes the method list is ACS and it is applied on the vty

sh run | beg line vty

line vty 0 3

access-class 24 in

exec-timeout 15 0

password 7

accounting commands 1 ACS

accounting commands 15 ACS

accounting exec ACS

login authentication ACS

transport input lat pad udptn telnet rlogin ssh acercon



Hope to help

Giuseppe


Actions

This Discussion