Tacacs or Enable Secret Not Working

Answered Question
Sep 24th, 2009
User Badges:
  • Blue, 1500 points or more

hi experts,


i have a 2821 router set up for tacacs for default login and configured enable secret. the funny thing is that when i telnet into this device and login using my tacacs credentials, it directly prompts me to privilege mode (router#). my other device is prompting me to user mode (router>). can anyone help me how to configure this router to user mode and ask for the enable secret.

Correct Answer by Collin Clark about 7 years 9 months ago

Check your VTY lines. Look for a statement like-


privilege level 15


If it's there, remove it. If it's not there, the privilege is probably in ACS.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Collin Clark Fri, 09/25/2009 - 05:19
User Badges:
  • Purple, 4500 points or more

Check your VTY lines. Look for a statement like-


privilege level 15


If it's there, remove it. If it's not there, the privilege is probably in ACS.

johnlloyd_13 Sat, 09/26/2009 - 21:17
User Badges:
  • Blue, 1500 points or more

hi collin,


thanks! you were right. there was this config under line vty. i've removed it and prompted me to user mode.

Rolf Fischer Fri, 09/25/2009 - 08:52
User Badges:

Your tacacs-server can provide 3 things (AAA):

A - Authentication (who are you?)

A - Authorization (here we can define what method/database to use for the login-privilege for a particular group - if we want that!)

A - Accounting (who did what?)


The configured aaa-groups can be assigned to line con 0, line vty ..., ...

router(config-line)#login authentication default

("default" is the name of the list configurerd with "aaa ...")


Maybe you can post the relavant part of your config (aaa...; line ...)



Jagdeep Gambhir Fri, 09/25/2009 - 09:09
User Badges:
  • Red, 2250 points or more

Hi John,

You need to remove this command from the router,


aaa authorization exec default group tacacs


or


You can also remove the shell privilege 15 from ACS group setup.


Regards,

~JG


Do rate helpful posts

Rolf Fischer Fri, 09/25/2009 - 10:26
User Badges:

Think I didn't explain very well...

I was thinking of something like that:


aaa new-model

aaa authentication login TELNET group tacacs+


line vty 0 4

login authentication TELNET

line vty 5 15

login authentication TELNET


"TELNET" ist just the name of my list.

There is also a default list which uses the local database. I didn't define anything for authorization, so the local database (-> enable-password) is used.


HTH


Actions

This Discussion