ACS 4.2 authentication and Privelged exec mode on Test Router.

Answered Question
May 13th, 2009

The goal is to have ACS authenticate my username via ssh and allow me to get into privileged exec mode once authenticated. Details below.

I have ACS 4.2 Solution Engine and I have a test router with the following commands setup:

aaa new-model

aaa authentication login default group tacacs+ local

aaa session-id common

tacacs-server host 10.4.4.21 single-connection

tacacs-server key $#$&$*#

The problem is this. I can SSH and logon to the router which uses a user in the ACS database but the router will not allow me to use the enable command to get to exec mode. The error it gives me is:

AAA_ROUTER_CLIENT>enable

% Error in authentication.

AAA_ROUTER_CLIENT>

I must be missing something in the ACS. Any help would be appreciated.

Correct Answer by Jagdeep Gambhir about 7 years 9 months ago

You are missing this command

aaa authorization exec default group tacacs+ if-authenticated

This is what you need on router

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

On ACS

Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

Regards,

~JG

Do rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
nomair_83 Wed, 05/13/2009 - 12:46

You need to configure aaa authorization commmand as well.

In ACS enable the "shell" with privilege level as well.

Correct Answer
Jagdeep Gambhir Wed, 05/13/2009 - 14:08

You are missing this command

aaa authorization exec default group tacacs+ if-authenticated

This is what you need on router

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

On ACS

Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

Regards,

~JG

Do rate helpful posts

Actions

This Discussion