Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
926
Views
0
Helpful
2
Replies

ACS 5.3 Different password for privilege exec mode

gregaspenson
Level 1
Level 1

‎11-22-2013 01:11 PM - edited ‎03-10-2019 09:07 PM

This is what I would like to do for our Core Routers. Not too familiar with ACS, so please excuse me if I don't provide you will all the details.

Right now I have ACS 5.3 which is tide to Active Directory. When a user logs in they use there AD credentials to access the CLI and use that same password to access privileged exec mode.

What I want to do is have users log in using their AD credentials like normal but have a unique password to access privileged exec mode, different for each user.

So far this is what I have done:

1) Created a test user (same as AD user name) in the Internal Identity Store

Password Type: Internal Users

normal password set differently that Enable Password (I think Enable Password will only be relevant)

2) Created a rule under Access Policies > Device Admin - Commands > Identity

- Created Rule with Current Condition Set    (TACACS+:Authen-Type match ASCII And (TACACS+:Action match Login AND TACACS+Service match Enable))

- Identity Source: Internal Users

When I enable the rule. I can login with my AD credentials, but when I try to access privilege exec mode the password that I created for the local user (regular and enable) does not work.

Question: Do I need to create a shell profile with Maximum privilege value set to something under 15 for the authorization policy and apply it so it will try and use the internal user's enable password?

Not to familiar with how this works. One of my co-workers said I needed to demote the users in order for my rule to work.

Labels:
0 Helpful
2 Replies 2

Tushar Gaba
Cisco Employee
Cisco Employee

‎11-25-2013 11:23 AM

Greg ,

Please point the enable authentication to AAA-SERVER ::

"aaa authentication enable default group tacacs+ (fallback) .

Doing this the user will have to enter the AD password once again for enable as well .Since the AD account password will be unique for every user account the end goal can be accomplished .

Best Regards ,

Tushar Gaba .

0 Helpful

gregaspenson
Level 1
Level 1
In response to Tushar Gaba

‎11-25-2013 11:32 AM

Hey Tushar,

That is our current setup. Right now each user logs in with their AD credentials to get into user exec mode and the same password to get into privileged exec mode. I would like to have a user login with their normal AD credentials to get into user exec mode and a different password (specific to each user, not locally on the device) to login to privileged exec mode. We are doing this for security reasons. Hopefully that clarifys what I'm trying to do.

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents