Whenever user log in to NAS, it has to enter enable password twice, one for login, and second for enable mode. What if I want that user directly enters into enable mode using enable password or local account?
2. What is the purpose of if-authenticated in aaa authorization methods. According to Cisco:
"The user is allowed to access the requested function, provided he has been authenticated successfully."
What I believe that it is a default behavior that authorization would be given only if the user is already authenticated?
1) If you configure user ID and password in the local database of the router it is possible to have the user go directly to enable mode (only entering the password one time). To do this you can configure the privilege level 15 as one of the parameters for the user. It might look something like user rick priv 15 password mypassword
If you do not configure user ID in the local database it is still possible to have a user go directly to enable mode by configuring the privilege level under line vty and under line console.
2) I think that there is some confusion about the if-authenticated. You are quite correct that a user can not be authorized until they have been authenticated. But that is not the function of if-authenticated. Let me explain what it is for by discussing first what happens if you do not use if-authenticated. Let us assume that you are configuring a router and you configure something like this:
aaa authorization exec default group tacacs+
and let us assume that the other parts are configured correctly (including aaa authentication login) so that the router does communicate with the TACACS server. So when a user log in on the router, then after the user is authenticated the router will send an authorization request to TACACS. Only if TACACS sends the authorization successful response will the user be allowed to start an EXEC session. So far that works as expected and the user is successful.
Now let us assume that something happens to the link between the router and the TACACS server and that the router can not communicate with the TACACS server. Let us also assume that your aaa authentication login includes some backup method (perhaps the line password or perhaps as in your suggestion it is the enable password). So the user can be authenticated without the TACACS server. Now the user is authenticated and the router attempts to send the authorization request to the TACACS server. But the router can not communicate with the TACACS server so the user is not authorized. If the user is not authorized then the login is not successful.
Now let us assume that you have configured the authorization like this:
aaa authorization exec default group tacacs+ if-authenticated
(this is the same as before with the if-authenticated added). Now in the case where the router can not communicate with the TACACS server the router will authenticate the user and then the router will say the user is authorized (because he was previously authenticated) and the user login is successful.
This is the main purpose and advantage of if-authenticated in the authorization command.
I am not sure why it is not logging directly into enable mode. I wonder if there is something about GNS3?
The config that you have posted will not communicate with TACACS. So your question 2) makes little sense. With the config that you posted the router will authorize anything that the user attempts to do.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :