router/switch seeking re-entery of username/pwd for enable mode

Unanswered Question
Dec 7th, 2009
User Badges:

Hi,


As per normal conditions, to go in enable mode we type >enable command, and router/switch asks for password. However, what are the possibilites for a router/switch to ask both username and password on enable mode as well.


The aaa commands on router/switch as below:

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+


A bit more facts observed are, to log in the router/switch I use my username/pwd (TACACS credentials). However, when I hit >enable command, then either mine or anybody else's (having the appropriate rights) username/pwd credentials works for enable login.


Is it something to be done on TACACS / ACS or the router/switch itself?


Thanks.



cheers,

Saurabh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ganesh Hariharan Mon, 12/07/2009 - 23:53
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi Sourabh,


As per the aaa configuration posted by you


aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable



User will be authenticated via TACAS server and if user try to login into enable mode in switch/router.


Few configuration need to be done in TACAS server you need to select an option for using same  PAP password for enble promt under TACACS+ Enable Password table.


Hope this will solve your problem !!


Regards

Ganesh.H

saurabh_knl Tue, 12/08/2009 - 00:52
User Badges:

Hi Ganesh,


Thanks for the response.


Could you please clarify more on "in TACAS server you need to select an option for using same  PAP password for enble promt under TACACS+ Enable Password table". Please excuse my ignorance in regards to TACACS server configuration / settings.



cheers,

Saurabh

Ganesh Hariharan Tue, 12/08/2009 - 01:01
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

If you are using Cisco ACS go under user setup tab you will see a tab called TACACS+ Enable Password from there you can select to use same as PAP password.


Regards

Ganesh.H

saurabh_knl Tue, 12/08/2009 - 01:36
User Badges:

Hi Ganesh,


Thanks for the response.


I honestly do not have access/control to ACS system. I am looking at this solution from a more understanding perspective.


When you say "under user setup tab you will see a tab called TACACS+ Enable Password from there you can select to use same as PAP password". This is a bit confusing, because my only requirement is when i hit >enable it should only prompt me for password, and not for both "username/pwd".


I am not sure if what you've already said is the same what I just asked above. Just looking to clarify my doubt.



cheers,

Saurabh

Ganesh Hariharan Tue, 12/08/2009 - 02:16
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

I think i have taken in wrong direction if in enable prompt it is asking for username and password then check the configuration under line vty 0 4 for login authentication .


Regards

Ganesh.H

saurabh_knl Tue, 12/08/2009 - 02:24
User Badges:

Hi,


Below are the configs:-

line vty 0 4
exec-timeout 30 0
password 7 xxxxxxxxxxxxxxxx

transport input telnet ssh
line vty 5 15
exec-timeout 30 0
password 7 xxxxxxxxxxxxxxxxx
transport input lat pad mop udptn telnet rlogin ssh nasi acercon



aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+



cheers,

Saurabh

vvasisth Wed, 12/09/2009 - 01:32
User Badges:
  • Silver, 250 points or more

check the failed logs in tacacs for enable authentication

make sure this user has pri lvl 15 in tacacs

for testing do "no aaa new-model" This will tell wether its an issue with switch or tacacs

regards,
Varun

Actions

This Discussion