ACS 4.2 group settings and AAA help

ejeangilles · ‎08-14-2013

I 've been trying to figure this out for a few days and maybe you guys can help me out. I'm trying to get more familiar with AAA and this what I'm trying to accomplish.

-I have a cisco switch and I also have ACS 4.2 running on windows 2003 and that's authenticating with a 2003 active directory server which is working ok.

-Level 1 group that can only run those user level commands and they should not go into enable or configuration terminal

-Level 15 group has access to everything.

-Level 1 and Level 15 groups are expecting to login with the AD credentials at first which drops them into user mode.

-Only level 15 group should be able to go into enable mode.

-I want specify the "Enable" password within TACACS and not use the "enable password" command in the IOS.

-I don't want to use local usernames and passwords except for a backway to get in.

I tried to configure the "Max privilege for any client" to level 1 or 15 per group but that doesn't seem to work.

This is bascially what I have so far.

aaa new-model
aaa authentication login default group tacacs+ local

username admin privilege 15 password 0 xxxx

Can you guy tell me what I'm missing?

ejeangilles · ‎08-15-2013

I solved it.

I was able to use "aaa authentication enable default group tacacs local"

Now I just need to know if there's anyway to configure the enable password for a group instead of user by user.

Any suggestions!!