05-12-2008 03:12 PM - edited 03-10-2019 03:50 PM
I am not able to configure the enable mode authentication, I have set the ACS user password in Tacac+option tab.
and configure the device for enable mode authentication
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacasc+
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
But still after login user only able to enter in enable mode by giving locally configured password, not the password that configured in ACS.
Please help me out how to configure the device that both login and enable authentication controlled by ACS.
05-12-2008 04:29 PM
Wasim ,
This is what you need to to do.
Bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
Regards,
~JG
Do rate helpful posts
05-13-2008 03:37 AM
Thanks for the reply,
I did the same thing that u asked me to do, but now user is directly going to the privilage mode, no enable authenication required and no requiring any enable password.
Though i have set the enable password in ACS user TACACS+ Enable Password.
But device is not requiring any password for enable mode. below mention is the command that i configured on the device.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacasc+
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
05-13-2008 04:40 AM
Please get debug tacacs and debug aaa authentication output.
05-14-2008 12:59 AM
Kindly see attachement for debug of my device.
I applied the same configuration that you sent me and turn on the debug
debug aaa authentication
debug tacacs
but still the user is not requiring any enable password, only login username and password required.
PDC-Srv-3750-1#sh debug
General OS:
TACACS+ authentication debugging is on
AAA Authentication debugging is on
PDC-Srv-3750-1#
05-14-2008 05:12 AM
Do we have tacacs single connect enabled on acs ?
Normally if the command authorization fails due to ACS misconfig - its says
"% Command Authorization Failed".
It is a known behavior that the IOS sometimes sends requests with wrong source IP when we are using tacacs single-connect option. And since it is sending the wrong source IP, first of all ACS doesn't recognize this IP.
And we do not want directed-request either.
ACTION PLAN:
Please disable the single-connect option and change the config to:
no tacacs-server host x.x.x.x single-connection
no tacacs-server directed-request
no tacacs-server key 7 06260D2A1F575D392653
tacacs-server host x.x.x.x key 7 06260D2A1F5
ip tacacs source-interface Loopback0
Define source interface for tacacs authentication.
On router issue command,
ip tacacs source-interface fastethernet x/y , where interface would be the one mentioned in tacacs server.
If still issue is there then pls send full running config along with following debug
debug aaa authen
debug aaa author
debug tacacs
Regards,
~JG
05-19-2008 03:24 AM
sorry for the late reply, i was busy in other stuff, regarding cisco catalyst switches command authorization is working, but for cisco pix firewall, it is not working,
I wanted to apply the same command set for junior admin of firewall, that i m using for switches, but it is not working for me.
firewall only allowing full access to admin, but not allowing junior to do anything, not even show,
I have atacched the screen shots for your review and firewall aaa configuration,
TDC-INT-525-01> enable
Command authorization failed
TDC-INT-525-01> show aaa
^
ERROR: % Invalid input detected at '^' marker.
TDC-INT-525-01> show xlate
^
ERROR: % Invalid input detected at '^' marker.
TDC-INT-525-01> enable
Command authorization failed
TDC-INT-525-01>
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (edn) host 172.28.31.132
aaa-server TACACS+ (edn) host 172.28.31.133
aaa authentication ssh console TACACS+ LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+
aaa accounting command privilege 15 TACACS+
aaa accounting enable console TACACS+
05-19-2008 07:20 AM
Wasim,
I don't see enable keyword defined in the command authorization set.
Please add "enable" along with show and clear in the "command authorization setup".
That should fix it.
Regards,
~JG
05-19-2008 10:24 AM
thanks for the help, it works like a magic, now i am able to restrict the users,
05-20-2008 05:07 AM
I have pix 535, i want to configure it for ACS authentication, but problem is that, users tries to login from inside interface and ACS located on outside interface of pix firewall.
I have configured the following commands but still not able to get the authentication,
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 172.28.31.132 waridtel0321
aaa-server TACACS+ (inside) host 172.28.31.133 waridtel0321
aaa authentication ssh console TACACS+ LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+
aaa accounting command privilege 15 TACACS+
aaa accounting enable console TACACS+
same configuration is working fine for me with rest of the firewalls of my network bcz ACS and users are located on the same interface side, only this firewall is having problem.
Firewall is not having any thing like source interface like routers have.
Please help me out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide