09-24-2009 05:30 PM - edited 03-06-2019 07:52 AM
hi experts,
i have a 2821 router set up for tacacs for default login and configured enable secret. the funny thing is that when i telnet into this device and login using my tacacs credentials, it directly prompts me to privilege mode (router#). my other device is prompting me to user mode (router>). can anyone help me how to configure this router to user mode and ask for the enable secret.
Solved! Go to Solution.
09-25-2009 05:19 AM
Check your VTY lines. Look for a statement like-
privilege level 15
If it's there, remove it. If it's not there, the privilege is probably in ACS.
09-25-2009 05:19 AM
Check your VTY lines. Look for a statement like-
privilege level 15
If it's there, remove it. If it's not there, the privilege is probably in ACS.
09-26-2009 09:17 PM
hi collin,
thanks! you were right. there was this config under line vty. i've removed it and prompted me to user mode.
09-25-2009 08:52 AM
Your tacacs-server can provide 3 things (AAA):
A - Authentication (who are you?)
A - Authorization (here we can define what method/database to use for the login-privilege for a particular group - if we want that!)
A - Accounting (who did what?)
The configured aaa-groups can be assigned to line con 0, line vty ..., ...
router(config-line)#login authentication default
("default" is the name of the list configurerd with "aaa ...")
Maybe you can post the relavant part of your config (aaa...; line ...)
09-25-2009 09:09 AM
Hi John,
You need to remove this command from the router,
aaa authorization exec default group tacacs
or
You can also remove the shell privilege 15 from ACS group setup.
Regards,
~JG
Do rate helpful posts
09-25-2009 10:26 AM
Think I didn't explain very well...
I was thinking of something like that:
aaa new-model
aaa authentication login TELNET group tacacs+
line vty 0 4
login authentication TELNET
line vty 5 15
login authentication TELNET
"TELNET" ist just the name of my list.
There is also a default list which uses the local database. I didn't define anything for authorization, so the local database (-> enable-password) is used.
HTH
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: