12-07-2009 11:42 PM - edited 03-06-2019 08:52 AM
Hi,
As per normal conditions, to go in enable mode we type >enable command, and router/switch asks for password. However, what are the possibilites for a router/switch to ask both username and password on enable mode as well.
The aaa commands on router/switch as below:
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
A bit more facts observed are, to log in the router/switch I use my username/pwd (TACACS credentials). However, when I hit >enable command, then either mine or anybody else's (having the appropriate rights) username/pwd credentials works for enable login.
Is it something to be done on TACACS / ACS or the router/switch itself?
Thanks.
cheers,
Saurabh
12-07-2009 11:53 PM
Hi Sourabh,
As per the aaa configuration posted by you
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
User will be authenticated via TACAS server and if user try to login into enable mode in switch/router.
Few configuration need to be done in TACAS server you need to select an option for using same PAP password for enble promt under TACACS+ Enable Password table.
Hope this will solve your problem !!
Regards
Ganesh.H
12-08-2009 12:52 AM
Hi Ganesh,
Thanks for the response.
Could you please clarify more on "in TACAS server you need to select an option for using same PAP password for enble promt under TACACS+ Enable Password table". Please excuse my ignorance in regards to TACACS server configuration / settings.
cheers,
Saurabh
12-08-2009 01:01 AM
If you are using Cisco ACS go under user setup tab you will see a tab called TACACS+ Enable Password from there you can select to use same as PAP password.
Regards
Ganesh.H
12-08-2009 01:36 AM
Hi Ganesh,
Thanks for the response.
I honestly do not have access/control to ACS system. I am looking at this solution from a more understanding perspective.
When you say "under user setup tab you will see a tab called TACACS+ Enable Password from there you can select to use same as PAP password". This is a bit confusing, because my only requirement is when i hit >enable it should only prompt me for password, and not for both "username/pwd".
I am not sure if what you've already said is the same what I just asked above. Just looking to clarify my doubt.
cheers,
Saurabh
12-08-2009 02:16 AM
I think i have taken in wrong direction if in enable prompt it is asking for username and password then check the configuration under line vty 0 4 for login authentication .
Regards
Ganesh.H
12-08-2009 02:24 AM
Hi,
Below are the configs:-
line vty 0 4
exec-timeout 30 0
password 7 xxxxxxxxxxxxxxxx
transport input telnet ssh
line vty 5 15
exec-timeout 30 0
password 7 xxxxxxxxxxxxxxxxx
transport input lat pad mop udptn telnet rlogin ssh nasi acercon
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
cheers,
Saurabh
12-09-2009 01:09 AM
Hi Sourabh,
Check out the following link it will solve your problem and query realted to aaa configration:-
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfathen.html#wp1001032
Regards
Ganesh.H
12-09-2009 01:32 AM
check the failed logs in tacacs for enable authentication
make sure this user has pri lvl 15 in tacacs
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: