Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

enable Mode authentication

I am not able to configure the enable mode authentication, I have set the ACS user password in Tacac+option tab.

and configure the device for enable mode authentication

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacasc+

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

But still after login user only able to enter in enable mode by giving locally configured password, not the password that configured in ACS.

Please help me out how to configure the device that both login and enable authentication controlled by ACS.

9 REPLIES

Re: enable Mode authentication

Wasim ,

This is what you need to to do.

Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

Regards,

~JG

Do rate helpful posts

New Member

Re: enable Mode authentication

Thanks for the reply,

I did the same thing that u asked me to do, but now user is directly going to the privilage mode, no enable authenication required and no requiring any enable password.

Though i have set the enable password in ACS user TACACS+ Enable Password.

But device is not requiring any password for enable mode. below mention is the command that i configured on the device.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacasc+

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Re: enable Mode authentication

Please get debug tacacs and debug aaa authentication output.

New Member

Re: enable Mode authentication

Kindly see attachement for debug of my device.

I applied the same configuration that you sent me and turn on the debug

debug aaa authentication

debug tacacs

but still the user is not requiring any enable password, only login username and password required.

PDC-Srv-3750-1#sh debug

General OS:

TACACS+ authentication debugging is on

AAA Authentication debugging is on

PDC-Srv-3750-1#

Re: enable Mode authentication

Do we have tacacs single connect enabled on acs ?

Normally if the command authorization fails due to ACS misconfig - its says

"% Command Authorization Failed".

It is a known behavior that the IOS sometimes sends requests with wrong source IP when we are using tacacs single-connect option. And since it is sending the wrong source IP, first of all ACS doesn't recognize this IP.

And we do not want directed-request either.

ACTION PLAN:

Please disable the single-connect option and change the config to:

no tacacs-server host x.x.x.x single-connection

no tacacs-server directed-request

no tacacs-server key 7 06260D2A1F575D392653

tacacs-server host x.x.x.x key 7 06260D2A1F5

ip tacacs source-interface Loopback0

Define source interface for tacacs authentication.

On router issue command,

ip tacacs source-interface fastethernet x/y , where interface would be the one mentioned in tacacs server.

If still issue is there then pls send full running config along with following debug

debug aaa authen

debug aaa author

debug tacacs

Regards,

~JG

New Member

Re: enable Mode authentication

sorry for the late reply, i was busy in other stuff, regarding cisco catalyst switches command authorization is working, but for cisco pix firewall, it is not working,

I wanted to apply the same command set for junior admin of firewall, that i m using for switches, but it is not working for me.

firewall only allowing full access to admin, but not allowing junior to do anything, not even show,

I have atacched the screen shots for your review and firewall aaa configuration,

TDC-INT-525-01> enable

Command authorization failed

TDC-INT-525-01> show aaa

^

ERROR: % Invalid input detected at '^' marker.

TDC-INT-525-01> show xlate

^

ERROR: % Invalid input detected at '^' marker.

TDC-INT-525-01> enable

Command authorization failed

TDC-INT-525-01>

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (edn) host 172.28.31.132

aaa-server TACACS+ (edn) host 172.28.31.133

aaa authentication ssh console TACACS+ LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+

aaa accounting command privilege 15 TACACS+

aaa accounting enable console TACACS+

Re: enable Mode authentication

Wasim,

I don't see enable keyword defined in the command authorization set.

Please add "enable" along with show and clear in the "command authorization setup".

That should fix it.

Regards,

~JG

New Member

Re: enable Mode authentication

thanks for the help, it works like a magic, now i am able to restrict the users,

New Member

Re: enable Mode authentication

I have pix 535, i want to configure it for ACS authentication, but problem is that, users tries to login from inside interface and ACS located on outside interface of pix firewall.

I have configured the following commands but still not able to get the authentication,

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 172.28.31.132 waridtel0321

aaa-server TACACS+ (inside) host 172.28.31.133 waridtel0321

aaa authentication ssh console TACACS+ LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+

aaa accounting command privilege 15 TACACS+

aaa accounting enable console TACACS+

same configuration is working fine for me with rest of the firewalls of my network bcz ACS and users are located on the same interface side, only this firewall is having problem.

Firewall is not having any thing like source interface like routers have.

Please help me out.

393
Views
13
Helpful
9
Replies