11-10-2006 07:23 AM - edited 03-10-2019 02:50 PM
Hi, I tried searching this forum, and did not find information specific to my situation, but I apologize if this has previously been addressed.
What I am looking to do:
Local user configured on switch (Admin) should be placed into Exec mode upon initial login, and then have to type "Enable" and put in Enable password to get into Enable mode.
I have a Secure ACS server, integrated into Win2k3 Active Directory database. This works fine for authenticating users via their Domain Account.
I will create 2 AD groups, one for unrestricted access to the devices, and one for restricted access for certain users, and set the privilege levels per group in the ACS server. I'm not too worried about this.
My question is, how do I set it so that the local user authentication goes into Exec mode (not to Enable mode), yet users in the Unrestricted AD/ACS group go directly into Enable mode, and users in the Restricted group go into Exec mode?
One more note, I am looking to implement this on 20+ switches, each have different passwords assigned.
Current config:
aaa new-model
aaa authentication login default group tacacs+ local
username admin password 7 xxxxxxx
Thanks in advance for your help. If you need any more information, please let me know!
Scott
11-10-2006 11:15 AM
Scott-
The local user account is only used when the TACACs server is unavailable. At that point does it really matter what mode the account is thrown into?
11-13-2006 01:51 PM
Ok, that makes sense. Thanks for the reply!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide