04-29-2008 05:35 AM - edited 03-10-2019 03:48 PM
I want to configure an aaa authentication with local user-accounts on the switch. The idea is to come directly in the privilege-mode without the enable command.
I configured the following commands:
aaa new-model
aaa authentication login default local
What other commands (authorization) are necessary to get the privilege command?
Thanks
Pascal
Solved! Go to Solution.
04-29-2008 08:07 AM
Dear,
For console you need to issue on more command.
There is a hidden command within IOS that you need to apply: "aaa authorization console".
That should fix it,
Regards,
~JG
Do rate helpful posts
04-29-2008 06:05 AM
Pascal,
Yes, privilege falls under head "authorization" so we need to have that command.
aaa authorization exec default local
Also make sure that local user have priv 15.
Regards,
~JG
Do rate helpful posts
04-29-2008 06:30 AM
It don't work with this command. I don' come directly to privelege-mode. The user has the priv 15 level.
Regards
Pascal
04-29-2008 06:50 AM
Pascal,
That is not possible it should work. Can you get me the debugs and current config,
debug aaa authorization
debug aaa authentication
terminal mon
Regards,
~JG
04-29-2008 07:38 AM
04-29-2008 08:07 AM
Dear,
For console you need to issue on more command.
There is a hidden command within IOS that you need to apply: "aaa authorization console".
That should fix it,
Regards,
~JG
Do rate helpful posts
04-30-2008 02:51 AM
Hello JG
Now, it works fine.
Thank you very much for your support!
Regards Pascal
05-05-2008 09:34 PM
Hi,
I have the same problem in my 7200 router, before i can enter directly in priviege-mode without enable command. I dont know what command i've issued coz now when im entering in my router thru telnet im need to enter my enable passwd. Please help me.
Heres my configuration
aaa new-model
aaa authorization console
aaa authorization exec default group tacacs+ local
I tried also to copy the config of my other router but still not working. I appreciate your help.
Thanks,
Jong
05-06-2008 04:55 AM
Jong,
This is what we should have on router and make sure you have priv 15 defined for the user.
Router(config)# username [username] password [password]
tacacs-server host [ip]
tacacs-server key [key]
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
On tacacs
Bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
Now it should let you in directly to enable mode.
Regards,
~JG
Do rate helpful posts
05-06-2008 05:24 AM
Hi JG,
I really appreciate your help. I have here the complete AAA command on my router. I just remember that I've issued a "privilege exec/commad/configure level" before this problem. Is there anything i need to check on my privilege config?
Im pretty sure much sure that I have the correct config on my ACS coz 9 out of my 10 routers working fine with authentication, authorization and accounting.
aaa new-model
!
!
aaa authentication login c3auth group tacacs+ local
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization exec c3auth group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 5 c3auth group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting session-duration ntp-adjusted
aaa accounting exec c3auth start-stop group tacacs+
aaa accounting commands 5 c3auth start-stop group tacacs+
aaa accounting commands 15 c3auth start-stop group tacacs+
aaa accounting connection c3auth start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
tacacs-server host xxxxx
tacacs-server directed-request
tacacs-server key xxxxx
privilege voipdialpeer level 5 shutdown
privilege controller level 5 shutdown
privilege interface level 5 shutdown
!
privilege configure level 5 line
privilege configure level 5 dial-peer voice
privilege configure level 5 dial-peer
privilege configure level 5 interface
privilege configure level 5 controller
privilege exec all level 5 configure terminal
privilege exec level 5 configure
privilege exec level 4 show dial-peer
privilege exec level 5 show call active voice
privilege exec level 5 show call active
privilege exec level 5 show call
privilege exec level 4 show interfaces
privilege exec level 5 show running-config
privilege exec level 5 show configuration
privilege exec level 5 show
privilege exec level 5 clear counters
privilege exec level 5 clear
Regards,
Jong
05-06-2008 05:54 AM
Jong,
I don't think there is any need to have local priv lvl defined in the router itself, since we have acs in place. Let ACS take care of the priv and command authorization.
My suggestion is to config router as per below mentioned commands,
Router(config)# username [username] password [password]
tacacs-server host [ip]
tacacs-server key [key]
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
Bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
If you use 'if-authenticated' any authentication method (line, local, etc.) will allow for successful authorization. However, if the TACACS+ server goes down during a session, all author will fail until a new authen occurs (log out and log back in). This allows for an extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down.
Regards,
~JG
Do rate helpful posts
05-06-2008 06:42 AM
Hi JG,
I'll do that, thanks for the additional info. I'm removing my commands again then reenter the new one. Hope it will works to me.
Regards,
Jong
05-07-2008 01:33 AM
Thanks alot JG, it works fine now,
Best Regards,
Jong
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: