Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Possible To Only Have To Enter Password 1 time?

I have configured some of our network devices to authenticate to our TACACS server. Some of the network engineers have asked me to see if I can come up with a way that they don't have to type in their password twice on the network devices. I saw a different thread,

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dde9bc0

and I followed what was stated in their, however I still have to type in my password twice. I have made sure that they shell privilege level is set for 15. Anyone have any ideas?

Attached is the related router config.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

tacacs-server host 172.20.62.208

tacacs-server host 172.20.62.191

tacacs-server key 7 <omitted>

Thanks for the help.

6 REPLIES
Cisco Employee

Re: Possible To Only Have To Enter Password 1 time?

Remove the command -

aaa authentication enable default group tacacs+ enable

Hope this helps,

Soumya

New Member

Re: Possible To Only Have To Enter Password 1 time?

If I do a

no aaa authentication enable default group tacacs+ enable

then when I try to sign in, I get NBOH-2940-001-IS>en

Password:

% Access denied

I have attached a screenshot of the ACS server.

New Member

Re: Possible To Only Have To Enter Password 1 time?

First of all, if you have exec command and shell priv option checked you should be in # prompt, you should not be following in user> mode. Please send the following debugs when trying authentication.

-debug aaa authentication

-debug aaa authorization

-debug tacacs

Thanks

Parminder

Re: Possible To Only Have To Enter Password 1 time?

Hi ,

What is the IOS ver you have on the box. Please make sure that the attachment is from tacacs 172.20.62.208 and not the other one.

Make sure that you are a part of that group on which changes has been made. Also check if you have anything set at user level ?

Regards,

~JG

New Member

Re: Possible To Only Have To Enter Password 1 time?

Hi,

As you already have aaa authorization exec command in place, You only have to enable the privilev level field under Tacacs+ settings on group and mention 15 as privilege there and that should do it.

I have attached screen shoot for your reference.

Thanks

Parminder

Re: Possible To Only Have To Enter Password 1 time?

HI,

No need to do enable authentication.

Please take that out and it will work fine.

Regards,

~JG

289
Views
0
Helpful
6
Replies
CreatePlease to create content