ACS authentication

Unanswered Question
Jun 7th, 2006
User Badges:

Using ACS 3.3 and I'm a newbie. The question I have is it possible to authenticate a user, who connects via telnet and/or SSH, directly to enable mode (priv 15) using ACS? The way we currently have it setup is a user logs in and then types in enable and their password to get to enable mode. I would just like to eliminate the extra step if I could.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Wed, 06/07/2006 - 11:45
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I have seen this done with ACS and TACACS. Not sure if Radius does the same. On the router configure aaa for authentication and for authorization. (authentication verifies who they are and authorization allows them directly into privilege mode) In ACS be sure that you have given the proper permissions to include privilege access.


You should find that this works on the vty ports but not on the console. By default Cisco does do authorization on the console. Once you have it working properly if you want it to work on the console you would need to add aaa authorization console to the config.


HTH


Rick

bmasten Thu, 06/08/2006 - 12:20
User Badges:

I would like to detailed syntax on the aaa commands for this. Sounds great

erkinn Fri, 06/09/2006 - 05:26
User Badges:

Do you have an example, because I'm stuck. Here's what I currently have:


aaa authentication login default group tacacs+ line

aaa authentication login CONSOLE group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa authorization commands 1 default none

aaa authorization commands 15 default group tacacs+ none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default stop-only group tacacs+


and under my line setups I have:


line con 0

password

login authentication CONSOLE

stopbits 1

line aux 0

stopbits 1

line vty 0 4

password

transport input telnet ssh

line vty 5 15

password

transport input telnet ssh

!

situwayne Mon, 07/10/2006 - 14:15
User Badges:

Is this working?


Be sure to select privilege 15 in ACS server for the user.

Actions

This Discussion