Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
690
Views
0
Helpful
2
Replies

ACS 4.2 authentication and Privelged exec mode on Test Router.

Go to solution
Joshua Engels
Level 1
Level 1

‎05-13-2009 11:01 AM - edited ‎03-10-2019 04:29 PM

The goal is to have ACS authenticate my username via ssh and allow me to get into privileged exec mode once authenticated. Details below.

I have ACS 4.2 Solution Engine and I have a test router with the following commands setup:

aaa new-model

aaa authentication login default group tacacs+ local

aaa session-id common

tacacs-server host 10.4.4.21 single-connection

tacacs-server key $#$&$*#

The problem is this. I can SSH and logon to the router which uses a user in the ACS database but the router will not allow me to use the enable command to get to exec mode. The error it gives me is:

AAA_ROUTER_CLIENT>enable

% Error in authentication.

AAA_ROUTER_CLIENT>

I must be missing something in the ACS. Any help would be appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎05-13-2009 02:08 PM

You are missing this command

aaa authorization exec default group tacacs+ if-authenticated

This is what you need on router

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

On ACS

Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

Regards,

~JG

Do rate helpful posts

View solution in original post

0 Helpful
2 Replies 2

Go to solution
nomair_83
Level 3
Level 3

‎05-13-2009 12:46 PM

You need to configure aaa authorization commmand as well.

In ACS enable the "shell" with privilege level as well.

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎05-13-2009 02:08 PM

You are missing this command

aaa authorization exec default group tacacs+ if-authenticated

This is what you need on router

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

On ACS

Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

Regards,

~JG

Do rate helpful posts

0 Helpful
Customers Also Viewed These Support Documents