Cisco 6509-E and AAA

stephen.sanyaolu · ‎04-23-2009

The following is the existing AAA config on my 6509 switch:

aaa new-model

aaa authentication login default group tacacs+

aaa authentication enable default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

This works except for the fact that when enable command is issued, it prompts for username again after the initial username. See below:

User Access Verification

Username: xxxxxxx

Password:

6509>en

User Access Verification

Username: xxxxxxxx

Password:

6509#

Does anyone know what may be causing this and how it can be solved.

davy.timmermans · ‎04-23-2009

no aaa authentication enable default group tacacs+

A default authentication is defined for enable which overrides the enable secret

HTH

stephen.sanyaolu · ‎04-23-2009

I have apllied the following:

no aaa authentication enable default group tacacs+

See what I have:

Username: xxxxxx

Password:

6509>en

Password:

% Access denied

I still want to use tacacs+ for my priviledge password for the enable command. This is the way it works for all other devices (routers and switches) on my network except the newly deployed 6509-E

stephen.sanyaolu · ‎04-23-2009

Could this be an issue with 6509?

Many thanks for your help.

stephen.sanyaolu · ‎04-23-2009

I just got this from cisco documentation:

CSCsu21040 -- AAA Enable authentication prompts for username/password instead of just password

The caveats was solved in Release 12.2(33)SXH4

Giuseppe Larosa · ‎04-23-2009

Hello Stephen,

with the following config it works well for us

sh run | inc aaa

aaa new-model

aaa authentication login ACS group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa accounting update newinfo

aaa accounting exec ACS start-stop group tacacs+

aaa accounting commands 1 ACS start-stop group tacacs+

aaa accounting commands 15 ACS start-stop group tacacs+

aaa session-id common

sh ver | inc image

System image file is "disk0:s72033-advipservicesk9_wan-mz.122-33.SXH2.bin"

Hope to help

Giuseppe

stephen.sanyaolu · ‎04-23-2009

Hello,

This is similar to my config:

aaa authentication login default group tacacs+

aaa authentication enable default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

The only differenet here is that you used the word option - ACS instead of using default and in your case applied login authentication ACS under line vty 0 15.

It is interesting though that you said it is working for you without bringing the second username --- which is the main issue here.

This is caused by the bug CSCsu21040. From Cisco documentation, the description given to the bug is AAA Enable authentication prompts for username/password instead of just password. This caveats was solved in release 12.2(33) SXH4

Search for CSCsu21040 from:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.pdf

stephen.sanyaolu · ‎04-30-2009

Confirmed

Giuseppe Larosa · ‎04-30-2009

Hello Stephen,

I see in the list of affected versions that also our release should be affected.

Probably some of our additional commands like

aaa session-id common

are a workaround for this

yes the method list is ACS and it is applied on the vty

sh run | beg line vty

line vty 0 3

access-class 24 in

exec-timeout 15 0

password 7

accounting commands 1 ACS

accounting commands 15 ACS

accounting exec ACS

login authentication ACS

transport input lat pad udptn telnet rlogin ssh acercon

Hope to help

Giuseppe