Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
518
Views
18
Helpful
6
Replies

AAA / ACS / Enable Mode

satishcp
Level 1
Level 1

‎11-29-2006 01:30 AM - edited ‎03-10-2019 02:51 PM

Guys,

I?ve configured AAA on network devices for access authentication against ACS (3.2 on Windows). ACS is configured to authenticate users against Windows AD accounts. ACS is configured properly and I?m able to login using AD accounts onto network devices. However I have a basic question here:

The privilege level set to users / user groups on ACS is level 15 for all AAA clients. When user login using SSH / Telnet connection, by default he is placed in privilege level 1. The user has to give enable command and type in enable password to geton to enable mode. Is this normal way of working or am I missing something here.

How do I place the users in privilege mode by default?

Appreciate help,

-Satishcp

Labels:
0 Helpful
6 Replies 6

cco1
Level 1
Level 1

‎11-29-2006 06:26 AM

Hi,

same problem here with FWSM. I just want to log in to FWSM via ssh and get into enabled mode instantly without having to type in "enable".

Regards,

Marco

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to cco1

‎11-29-2006 07:22 AM

Satishcp

I believe that the functionality that you want needs you to configure aaa authorization as well as aaa authentication.

HTH

Rick

HTH

Rick

Collin Clark
VIP Alumni
VIP Alumni
In response to cco1

‎12-01-2006 05:19 AM

cco1-

You can't on the FWSM/PIX/ASA, it requires you to enter a password twice for security purposes.

0 Helpful

andrew.burns
Level 7
Level 7

‎11-29-2006 08:32 AM

Hi,

If it's just a router then you should be able to fix this in the ACS server by modifying the Privilege Level attribute - change it from the default of 1 to 15. (Don't confuse this with the Max Privilege setting in Enable Options).

Not totally sure about version 3.2 but this works in 3.3 and later.

HTH

Andrew.

pvanvuuren
Level 3
Level 3

‎11-29-2006 11:00 AM

Hi Satishcp

There are two parts of making sure your users getin to enable "priv 15" mode onto a router/switch.

1. First , make sure the user is in a group that has Shell access and priv level 15 enabled. The router/switch is going to look for this for "authorisation".

2. Secondly, you need this line of aaa config in you router/switch: aaa authorization exec default group tacacs+ if-authenticated

that should do it. It the "if-authenticated" part that makes a difference. and the authorisation of course.

Let us know.

cheers

P

satishcp
Level 1
Level 1
In response to pvanvuuren

‎11-30-2006 10:01 PM

This is great guys, I never thought it would be so easy to get answers. Thanks, it worked the same way I wanted it to be.

Thanks again,

Satishcp

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents