Tacacs or Enable Secret Not Working

Answered Question
Sep 24th, 2009

hi experts,

i have a 2821 router set up for tacacs for default login and configured enable secret. the funny thing is that when i telnet into this device and login using my tacacs credentials, it directly prompts me to privilege mode (router#). my other device is prompting me to user mode (router>). can anyone help me how to configure this router to user mode and ask for the enable secret.

I have this problem too.
0 votes
Correct Answer by Collin Clark about 7 years 3 months ago

Check your VTY lines. Look for a statement like-

privilege level 15

If it's there, remove it. If it's not there, the privilege is probably in ACS.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Collin Clark Fri, 09/25/2009 - 05:19

Check your VTY lines. Look for a statement like-

privilege level 15

If it's there, remove it. If it's not there, the privilege is probably in ACS.

johnlloyd_13 Sat, 09/26/2009 - 21:17

hi collin,

thanks! you were right. there was this config under line vty. i've removed it and prompted me to user mode.

Rolf Fischer Fri, 09/25/2009 - 08:52

Your tacacs-server can provide 3 things (AAA):

A - Authentication (who are you?)

A - Authorization (here we can define what method/database to use for the login-privilege for a particular group - if we want that!)

A - Accounting (who did what?)

The configured aaa-groups can be assigned to line con 0, line vty ..., ...

router(config-line)#login authentication default

("default" is the name of the list configurerd with "aaa ...")

Maybe you can post the relavant part of your config (aaa...; line ...)

Jagdeep Gambhir Fri, 09/25/2009 - 09:09

Hi John,

You need to remove this command from the router,

aaa authorization exec default group tacacs

or

You can also remove the shell privilege 15 from ACS group setup.

Regards,

~JG

Do rate helpful posts

Rolf Fischer Fri, 09/25/2009 - 10:26

Think I didn't explain very well...

I was thinking of something like that:

aaa new-model

aaa authentication login TELNET group tacacs+

line vty 0 4

login authentication TELNET

line vty 5 15

login authentication TELNET

"TELNET" ist just the name of my list.

There is also a default list which uses the local database. I didn't define anything for authorization, so the local database (-> enable-password) is used.

HTH

Actions

This Discussion