router/switch seeking re-entery of username/pwd for enable mode

Unanswered Question
Dec 7th, 2009

Hi,

As per normal conditions, to go in enable mode we type >enable command, and router/switch asks for password. However, what are the possibilites for a router/switch to ask both username and password on enable mode as well.

The aaa commands on router/switch as below:

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

A bit more facts observed are, to log in the router/switch I use my username/pwd (TACACS credentials). However, when I hit >enable command, then either mine or anybody else's (having the appropriate rights) username/pwd credentials works for enable login.

Is it something to be done on TACACS / ACS or the router/switch itself?

Thanks.

cheers,

Saurabh

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ganesh Hariharan Mon, 12/07/2009 - 23:53

Hi Sourabh,

As per the aaa configuration posted by you

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable

User will be authenticated via TACAS server and if user try to login into enable mode in switch/router.

Few configuration need to be done in TACAS server you need to select an option for using same  PAP password for enble promt under TACACS+ Enable Password table.

Hope this will solve your problem !!

Regards

Ganesh.H

saurabh_knl Tue, 12/08/2009 - 00:52

Hi Ganesh,

Thanks for the response.

Could you please clarify more on "in TACAS server you need to select an option for using same  PAP password for enble promt under TACACS+ Enable Password table". Please excuse my ignorance in regards to TACACS server configuration / settings.

cheers,

Saurabh

Ganesh Hariharan Tue, 12/08/2009 - 01:01

If you are using Cisco ACS go under user setup tab you will see a tab called TACACS+ Enable Password from there you can select to use same as PAP password.

Regards

Ganesh.H

saurabh_knl Tue, 12/08/2009 - 01:36

Hi Ganesh,

Thanks for the response.

I honestly do not have access/control to ACS system. I am looking at this solution from a more understanding perspective.

When you say "under user setup tab you will see a tab called TACACS+ Enable Password from there you can select to use same as PAP password". This is a bit confusing, because my only requirement is when i hit >enable it should only prompt me for password, and not for both "username/pwd".

I am not sure if what you've already said is the same what I just asked above. Just looking to clarify my doubt.

cheers,

Saurabh

Ganesh Hariharan Tue, 12/08/2009 - 02:16

I think i have taken in wrong direction if in enable prompt it is asking for username and password then check the configuration under line vty 0 4 for login authentication .

Regards

Ganesh.H

saurabh_knl Tue, 12/08/2009 - 02:24

Hi,

Below are the configs:-

line vty 0 4
exec-timeout 30 0
password 7 xxxxxxxxxxxxxxxx

transport input telnet ssh
line vty 5 15
exec-timeout 30 0
password 7 xxxxxxxxxxxxxxxxx
transport input lat pad mop udptn telnet rlogin ssh nasi acercon

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

cheers,

Saurabh

vvasisth Wed, 12/09/2009 - 01:32

check the failed logs in tacacs for enable authentication

make sure this user has pri lvl 15 in tacacs

for testing do "no aaa new-model" This will tell wether its an issue with switch or tacacs

regards,
Varun

Actions

This Discussion