Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Enable password from tacacs server

I have an ldap server with a tacacs package (tac_plus.F5.0.0.alpha) and 10 users which is doing the tacacs authentication for users loging into my routers. I configured the allowed commands in the tacas server per group of users, this is all working fine.

Now I also want to fetch the enable password from the tacacs server, and preferable the users should enter their password again (instead of the enable password - as command authorization is configured per group of users)

When I try to go into enable mode, I see in the debugging that a username $enable$ is sent to the tacacs server, which is not known, and so I still have to enter the enable password.

commands I used in the router are:

aaa authentication login default group tacacs+ loroup tacal

aaa authentication enable default tacacs+ local

aaa authorization exec default tacacs+ local

aaa authorization commands 0 default tacacs+ local

aaa authorization commands 1 default tacacs+ local

aaa authorization commands 15 default tacacs+ local

Do you know how $enable$ can be replaced by something, so my idea would work ?

Thanks in advance ,Karien

2 REPLIES
New Member

Re: Enable password from tacacs server

Hi Karien,

You are using a old code and that is the reason why it send out the username $enable$ , if you are using 12.0.7T or above code it will send the original username for enable authentication.

Thanks

Sujit

New Member

Re: Enable password from tacacs server

Hi Sujit,

I used 12.2.13T and 12.2.15T, while having this issues.

Thanks Karien

235
Views
0
Helpful
2
Replies
CreatePlease login to create content