cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6798
Views
5
Helpful
5
Replies

Tacacs or Enable Secret Not Working

johnlloyd_13
Level 9
Level 9

hi experts,

i have a 2821 router set up for tacacs for default login and configured enable secret. the funny thing is that when i telnet into this device and login using my tacacs credentials, it directly prompts me to privilege mode (router#). my other device is prompting me to user mode (router>). can anyone help me how to configure this router to user mode and ask for the enable secret.

1 Accepted Solution

Accepted Solutions

Collin Clark
VIP Alumni
VIP Alumni

Check your VTY lines. Look for a statement like-

privilege level 15

If it's there, remove it. If it's not there, the privilege is probably in ACS.

View solution in original post

5 Replies 5

Collin Clark
VIP Alumni
VIP Alumni

Check your VTY lines. Look for a statement like-

privilege level 15

If it's there, remove it. If it's not there, the privilege is probably in ACS.

hi collin,

thanks! you were right. there was this config under line vty. i've removed it and prompted me to user mode.

rolf.fischer_2
Level 1
Level 1

Your tacacs-server can provide 3 things (AAA):

A - Authentication (who are you?)

A - Authorization (here we can define what method/database to use for the login-privilege for a particular group - if we want that!)

A - Accounting (who did what?)

The configured aaa-groups can be assigned to line con 0, line vty ..., ...

router(config-line)#login authentication default

("default" is the name of the list configurerd with "aaa ...")

Maybe you can post the relavant part of your config (aaa...; line ...)

Hi John,

You need to remove this command from the router,

aaa authorization exec default group tacacs

or

You can also remove the shell privilege 15 from ACS group setup.

Regards,

~JG

Do rate helpful posts

rolf.fischer_2
Level 1
Level 1

Think I didn't explain very well...

I was thinking of something like that:

aaa new-model

aaa authentication login TELNET group tacacs+

line vty 0 4

login authentication TELNET

line vty 5 15

login authentication TELNET

"TELNET" ist just the name of my list.

There is also a default list which uses the local database. I didn't define anything for authorization, so the local database (-> enable-password) is used.

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco