Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

en pass and en secret with AAA authentication

Hi all,

I have a question: recently I set up ACS 4.2 and configured on aaa client. Everything was working fine until one day the ACS went off-line. I was able to authenticated with the local account and go in enable mode, but when I tried to see the configuration file or do config t, I got a message basically saying that I did not have the rights to do it. I have no idea why, the only thing I can think of is that I removed the enable password from the config and left only enable secret. Does that have anything to do with the issue I experienced?

Thank you in advance!

Cheers....

5 REPLIES
Hall of Fame Super Silver

Re: en pass and en secret with AAA authentication

Mauricio

The symptoms that you describe sound more like a problem with the configuration of authorization. I doubt that it has anything to do with removing the enable password.

Perhaps you could post the aaa configuration (or perhaps even the complete router config) and that might help us to see that is the issue.

HTH

Rick

New Member

Re: en pass and en secret with AAA authentication

Hi Rick,

Here it's.

enable secret 5 XXXXXXXXX

!

username XXXXX password 7 XXXXXXX

aaa new-model

aaa authentication attempts login 5

aaa authentication login default group tacacs+ local enable

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

aaa session-id common

tacacs-server host XXXXXXX

tacacs-server attempts 5

tacacs-server directed-request

tacacs-server key 7 XXXXXXX

line con 0

exec-timeout 20 0

password 7 XXXXXXXXXXXX

line vty 0 4

exec-timeout 20 0

password 7 XXXXXXXXXXXXXXXXXXXXX

Hall of Fame Super Silver

Re: en pass and en secret with AAA authentication

Mauricio

Thanks for providing the additional information. It is not clear to me whether the problem is only about showing the config and about config t or whether it is affecting any command that requires privilege access. (I am guessing that it is any command requiring privilege access) Can you tell us whether other commands that require privilege access do work in that situation (for example can you clear counters on interfaces)?

I would suggest that perhaps you try changing this:

aaa authorization commands 15 default group tacacs+ local if-authenticated

and make it this:

aaa authorization commands 15 default group tacacs+ if-authenticated

HTH

Rick

New Member

Re: en pass and en secret with AAA authentication

Hi Rick,

I wanted to thank you for taking the time to help others and let you know what the problem was. The appliance was going onto a hang state, but not completely down, thus some aaa clients were still communicating with it and it wasn't letting me fully authenticated with the tacacs account or local account. In a nut shell is was a hardware issue.

Hall of Fame Super Silver

Re: en pass and en secret with AAA authentication

Mauricio

Thank you for posting back to the thread and indicating that you have solved the problem and what the solution was. It makes the forum more useful when people can read a problem and can read and find what was the cause of the problem.

The forum is a good place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

147
Views
4
Helpful
5
Replies
CreatePlease to create content