Cisco 6509-E and AAA

Unanswered Question
Apr 23rd, 2009

The following is the existing AAA config on my 6509 switch:

aaa new-model

aaa authentication login default group tacacs+

aaa authentication enable default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

This works except for the fact that when enable command is issued, it prompts for username again after the initial username. See below:

User Access Verification

Username: xxxxxxx

Password:

6509>en

User Access Verification

Username: xxxxxxxx

Password:

6509#

Does anyone know what may be causing this and how it can be solved.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
davy.timmermans Thu, 04/23/2009 - 02:10

no aaa authentication enable default group tacacs+

A default authentication is defined for enable which overrides the enable secret

HTH

stephen.sanyaol... Thu, 04/23/2009 - 02:31

I have apllied the following:

no aaa authentication enable default group tacacs+

See what I have:

Username: xxxxxx

Password:

6509>en

Password:

% Access denied

I still want to use tacacs+ for my priviledge password for the enable command. This is the way it works for all other devices (routers and switches) on my network except the newly deployed 6509-E

stephen.sanyaol... Thu, 04/23/2009 - 04:40

I just got this from cisco documentation:

CSCsu21040 -- AAA Enable authentication prompts for username/password instead of just password

The caveats was solved in Release 12.2(33)SXH4

Giuseppe Larosa Thu, 04/23/2009 - 05:21

Hello Stephen,

with the following config it works well for us

sh run | inc aaa

aaa new-model

aaa authentication login ACS group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa accounting update newinfo

aaa accounting exec ACS start-stop group tacacs+

aaa accounting commands 1 ACS start-stop group tacacs+

aaa accounting commands 15 ACS start-stop group tacacs+

aaa session-id common

sh ver | inc image

System image file is "disk0:s72033-advipservicesk9_wan-mz.122-33.SXH2.bin"

Hope to help

Giuseppe

stephen.sanyaol... Thu, 04/23/2009 - 05:37

Hello,

This is similar to my config:

aaa authentication login default group tacacs+

aaa authentication enable default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

The only differenet here is that you used the word option - ACS instead of using default and in your case applied login authentication ACS under line vty 0 15.

It is interesting though that you said it is working for you without bringing the second username --- which is the main issue here.

This is caused by the bug CSCsu21040. From Cisco documentation, the description given to the bug is AAA Enable authentication prompts for username/password instead of just password. This caveats was solved in release 12.2(33) SXH4

Search for CSCsu21040 from:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.pdf

Giuseppe Larosa Thu, 04/30/2009 - 07:02

Hello Stephen,

I see in the list of affected versions that also our release should be affected.

Probably some of our additional commands like

aaa session-id common

are a workaround for this

yes the method list is ACS and it is applied on the vty

sh run | beg line vty

line vty 0 3

access-class 24 in

exec-timeout 15 0

password 7

accounting commands 1 ACS

accounting commands 15 ACS

accounting exec ACS

login authentication ACS

transport input lat pad udptn telnet rlogin ssh acercon

Hope to help

Giuseppe

Actions

This Discussion