Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 4.2 authentication and Privelged exec mode on Test Router.

The goal is to have ACS authenticate my username via ssh and allow me to get into privileged exec mode once authenticated. Details below.

I have ACS 4.2 Solution Engine and I have a test router with the following commands setup:

aaa new-model

aaa authentication login default group tacacs+ local

aaa session-id common

tacacs-server host 10.4.4.21 single-connection

tacacs-server key $#$&$*#

The problem is this. I can SSH and logon to the router which uses a user in the ACS database but the router will not allow me to use the enable command to get to exec mode. The error it gives me is:

AAA_ROUTER_CLIENT>enable

% Error in authentication.

AAA_ROUTER_CLIENT>

I must be missing something in the ACS. Any help would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACS 4.2 authentication and Privelged exec mode on Test Route

You are missing this command

aaa authorization exec default group tacacs+ if-authenticated

This is what you need on router

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

On ACS

Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

Regards,

~JG

Do rate helpful posts

2 REPLIES
New Member

Re: ACS 4.2 authentication and Privelged exec mode on Test Route

You need to configure aaa authorization commmand as well.

In ACS enable the "shell" with privilege level as well.

Re: ACS 4.2 authentication and Privelged exec mode on Test Route

You are missing this command

aaa authorization exec default group tacacs+ if-authenticated

This is what you need on router

Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

On ACS

Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

Regards,

~JG

Do rate helpful posts

415
Views
0
Helpful
2
Replies