03-31-2010 07:55 AM - edited 03-10-2019 05:02 PM
Hi,
We use ACS for authenticating equipments but lately when loose conectivity with server, equipments do not allow us to enter "enable" mode (even at console) only at first level, so could somebody give some light on where am I missing something?
Here is the AAA config template:
enable secret 5 XXXXXX!
username XXXXprivilege 15 secret 5 XXXXXX
aaa group server tacacs+ AuthenticationTacacs
server xxx.xxx.xxx
server xxx.xxx.xxx
server xxx.xxx.xxx
!
aaa group server tacacs+ AccountingTacacs
server xxx.xxx.xxx
server xxx.xxx.xxx
!
aaa authentication password-prompt "Password local: "
aaa authentication username-prompt "Username local: "
aaa authentication login default group AuthenticationTacacs local
aaa authentication login username_tacacs group tacacs+ local
aaa authentication enable default group AuthenticationTacacs enable
aaa authorization config-commands
aaa authorization exec default group AuthenticationTacacs local
aaa authorization commands 15 default group AuthenticationTacacs local
aaa accounting commands 15 default stop-only group AccountingTacacs
aaa accounting system default stop-only group AccountingTacacs
!
!
!
aaa session-id common
ip tacacs source-interface Vlan2
tacacs-server host xxx.xxx.xxx
tacacs-server host xxx.xxx.xxx
tacacs-server host xxx.xxx.xxx
tacacs-server timeout 3
tacacs-server directed-request
tacacs-server key 7 XXXXXXXX
line con 0
exec-timeout 20 0
logging synchronous
full-help
escape-character 27
line vty 0 4
exec-timeout 20 0
password 7 00071A150754
logging synchronous
length 0
full-help
escape-character 27
line vty 5 15
exec-timeout 20 0
password 7 1511021F0725
logging synchronous
full-help
escape-character 27
Thanks,
Luiz
04-01-2010 12:56 PM
Luiz,
Dentro do seu "line console 0" digite aaa authentication "GROUP" ou "default"
Da mesma forma no seu telnet ou ssh vty
Outra coisa, nao esqueca que se voce botar um espaco no final da sua senha ela tera um espaco, ex: "passWord "
Inside your "line console 0" type aaa authentication "GROUP" or"default"
The same way in your telnet or ssht vty
Don't forget that if you put a space on the end of you password it needs to be typed as the ex: "passWord "
BTW you have redundant line for login, i'd do the following way
Voce tem uma linha redudante para o login, eu faria desta forma abaixo
aaa authentication password-prompt "Password local: "
aaa authentication username-prompt "Username local: "
aaa authentication login default group AuthenticationTacacs local
aaa authentication enable default group AuthenticationTacacs enable
aaa authorization config-commands
aaa authorization exec default group AuthenticationTacacs local
aaa authorization commands 15 default group AuthenticationTacacs local
aaa accounting commands 15 default stop-only group AccountingTacacs
aaa accounting system default stop-only group AccountingTacacs
Outra maneira, ela somente ira autenticar no console, pois o grupp nao e maneira "default" de autenticacao do equipamento logo vc precisa aplicar em algum lugar
Here is an other way, its authentication only for the console whitch isnt the default way to authenticate and you need to apply some where
aaa authentication login CONSOLE local
line console 0
aaa authentication CONSOLE
04-02-2010 09:13 AM
Hi,
We use ACS for authenticating equipments but lately when loose conectivity with server, equipments do not allow us to enter "enable" mode (even at console) only at first level, so could somebody give some light on where am I missing something?
Here is the AAA config template:
enable secret 5 XXXXXX!
username XXXXprivilege 15 secret 5 XXXXXX
aaa group server tacacs+ AuthenticationTacacs
server xxx.xxx.xxx
server xxx.xxx.xxx
server xxx.xxx.xxx
!
aaa group server tacacs+ AccountingTacacs
server xxx.xxx.xxx
server xxx.xxx.xxx
!
aaa authentication password-prompt "Password local: "
aaa authentication username-prompt "Username local: "
aaa authentication login default group AuthenticationTacacs local
aaa authentication login username_tacacs group tacacs+ local
aaa authentication enable default group AuthenticationTacacs enable
aaa authorization config-commands
aaa authorization exec default group AuthenticationTacacs local
aaa authorization commands 15 default group AuthenticationTacacs local
aaa accounting commands 15 default stop-only group AccountingTacacs
aaa accounting system default stop-only group AccountingTacacs
!
!
!
aaa session-id common
ip tacacs source-interface Vlan2
tacacs-server host xxx.xxx.xxx
tacacs-server host xxx.xxx.xxx
tacacs-server host xxx.xxx.xxx
tacacs-server timeout 3
tacacs-server directed-request
tacacs-server key 7 XXXXXXXX
line con 0
exec-timeout 20 0
logging synchronous
full-help
escape-character 27
line vty 0 4
exec-timeout 20 0
password 7 00071A150754
logging synchronous
length 0
full-help
escape-character 27
line vty 5 15
exec-timeout 20 0
password 7 1511021F0725
logging synchronous
full-help
escape-character 27
Thanks,
Luiz
Hi Luiz,
Configuration for authentication need to be done under line con as suggested and check out the below link for configuratio on AAA server configuration.
http://www9.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093c81.shtml
Hope to help !!
Ganesh.H
Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.
04-07-2010 02:33 PM
The suggestions about configuring authentication on the console might make more sense if the problem were not getting into user mode. But if I understand the original post from Luiz he says that they can get into user mode but can not get into enable mode. If my understanding is not correct then I hope that Luiz will correct me.
I wonder if the problem might be that you are not using the right enable secret when you attempt to get into enable mode. I would suggest that you configure the router with a new, and very simple enable secret. Then the next time that you can not communicate with the server try using the simple enable secret and see if that works.
HTH
Rick
04-08-2010 11:42 AM
Hi, first of all thanks for the answers and wehave two situations
:
When loose connectivity to AAA servers at console we can't access, shows user and password screen but doesn't authenticate, and when telnet to the equipment reach the user level, but not at enable level.
We tryed enable secret as "cisco", enable password as the same but still doesn't work.
Tryed to use "username user privilege 15 secret {XXXXXXX}" and goes only at user level.
As far as I understood this is a matter of better configuring console and line vty ports, but my problem now is that regarding IOS versions because at some equipments it doesn't support the exact commands as I need.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: