Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 5.3 Different password for privilege exec mode

This is what I would like to do for our Core Routers. Not too familiar with ACS, so please excuse me if I don't provide you will all the details.

Right now I have ACS 5.3 which is tide to Active Directory. When a user logs in they use there AD credentials to access the CLI and use that same password to access privileged exec mode.

What I want to do is have users log in using their AD credentials like normal but have a unique password to access privileged exec mode, different for each user.

So far this is what I have done:

1) Created a test user (same as AD user name) in the Internal Identity Store

Password Type: Internal Users

normal password set differently that Enable Password (I think Enable Password will only be relevant)

2) Created a rule under Access Policies > Device Admin - Commands > Identity

- Created Rule with Current Condition Set    (TACACS+:Authen-Type match ASCII And (TACACS+:Action match Login AND TACACS+Service match Enable))

- Identity Source: Internal Users

When I enable the rule. I can login with my AD credentials, but when I try to access privilege exec mode the password that I created for the local user (regular and enable) does not work.

Question: Do I need to create a shell profile with Maximum privilege value set to something under 15 for the authorization policy and apply it so it will try and use the internal user's enable password?

Not to familiar with how this works. One of my co-workers said I needed to demote the users in order for my rule to work.

  • AAA Identity and NAC
Everyone's tags (1)
Cisco Employee

ACS 5.3 Different password for privilege exec mode

Greg ,

Please point the enable authentication to AAA-SERVER ::

"aaa authentication enable default group tacacs+ (fallback) .

Doing this the user will have to enter the AD password once again for enable as well .Since the AD account password will be unique for every user account the end goal can be accomplished .

Best Regards ,

Tushar Gaba .

New Member

ACS 5.3 Different password for privilege exec mode

Hey Tushar,

That is our current setup. Right now each user logs in with their AD credentials to get into user exec mode and the same password to get into privileged exec mode. I would like to have a user login with their normal AD credentials to get into user exec mode and a different password (specific to each user, not locally on the device) to login to privileged exec mode. We are doing this for security reasons. Hopefully that clarifys what I'm trying to do.


This widget could not be displayed.