05-13-2009 11:01 AM - edited 03-10-2019 04:29 PM
The goal is to have ACS authenticate my username via ssh and allow me to get into privileged exec mode once authenticated. Details below.
I have ACS 4.2 Solution Engine and I have a test router with the following commands setup:
aaa new-model
aaa authentication login default group tacacs+ local
aaa session-id common
tacacs-server host 10.4.4.21 single-connection
tacacs-server key $#$&$*#
The problem is this. I can SSH and logon to the router which uses a user in the ACS database but the router will not allow me to use the enable command to get to exec mode. The error it gives me is:
AAA_ROUTER_CLIENT>enable
% Error in authentication.
AAA_ROUTER_CLIENT>
I must be missing something in the ACS. Any help would be appreciated.
Solved! Go to Solution.
05-13-2009 02:08 PM
You are missing this command
aaa authorization exec default group tacacs+ if-authenticated
This is what you need on router
Router(config)# username [username] password [password]
tacacs-server host [ip]
tacacs-server key [key]
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
On ACS
Bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
Regards,
~JG
Do rate helpful posts
05-13-2009 12:46 PM
You need to configure aaa authorization commmand as well.
In ACS enable the "shell" with privilege level as well.
05-13-2009 02:08 PM
You are missing this command
aaa authorization exec default group tacacs+ if-authenticated
This is what you need on router
Router(config)# username [username] password [password]
tacacs-server host [ip]
tacacs-server key [key]
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
On ACS
Bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
Regards,
~JG
Do rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide