cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3402
Views
0
Helpful
13
Replies

Privilege mode authentication using Tacacs for Cisco Routers

uzmausmani
Level 1
Level 1

I am trying to set up a test environment where I need to be able to be asked for both a username and password while entering enable mode from exec mode on a cisco IOS router. I was told the only way to do that is through Tacacs. But I've not seen any such configuration options on Tacacs in order to set it up right. Has someone ever did a setup like this before. I would appreciate any help on this. Thanks. 

1 Accepted Solution

Accepted Solutions

This is correct, as I stated in my previous post you can no accomplish what you are trying to do.  In IOS the username you use to log in

to the router is ALWAYS used when you enter enable mode.  If you want to change the user you are logged in as you will need to log out of the

router and log back in with the correct user.

--Jesse

View solution in original post

13 Replies 13

aneelaka
Level 1
Level 1

when the aaa authentication enable default group tacacs+ command or the aaa authentication enable default group command that points towards a TACACS+ server group is configured authentication happens using username $enab15$, so you dont get the username prompt only the password prompt. 

https://supportforums.cisco.com/docs/DOC-4317;jsessionid=0AD3918732307A3063A5650DC50908C9.node0

I do realise that but that doesnt solve my problem. I have a customer who has this environment where the cisco IOS router prompts for a username

and password upon entering enable mode. I'm trying to replicate that test environment. If the router accepts a default username from Tacacs that doesnt create the setup I'm looking to establish. Is there is way to setup Tacacs to prompt for a username and password instead of using the default one?

Make sure your IOS upgraded to the latest version and try the below config:

aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+

tacacs-server host 10.76.86.85
tacacs-server directed-request
tacacs-server key cisco123

line vty 0 4
login authentication default

On ACS server under the user specify the enable password

I tried that. It wouldnt even give me a login prompt on telnet. It just connected and after throwing me the start banner.. after a certain time it timed out..never even asked me a login.?

Okay..now I've gotten it to where its asking me for username password for exec level..but it still only asks me enable password..still doesnt ask me for username when I try to get into enable mode...Is there any group setting I need change in order to accomplish that?

now for the password prompt you need to enter the enable password you entered in the ACS user setup, ena

ble password. Also you can turn on debug aaa authentication and debug tacacs to see more de
tails.

I'm still confused. I dont know how to get it to throw the prompt for "username" at me when I try to enter enable mode. Did I miss something here?

Hello,

     To clear up some confusion here can you post the full show run from your device minus the interface/acl configuration for brevity please.

--Jesse

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service compress-config

!

hostname 2621-3

!

boot-start-marker

boot system flash c2600-i-mz.123-26.bin

boot-end-marker

!

logging buffered 5001 debugging

no logging console

no logging monitor

enable password cisco

!

memory-size iomem 10

clock timezone CST -7

clock summer-time CST recurring

aaa new-model

aaa authentication login default local

aaa authentication enable default group tacacs+

aaa authorization exec default group tacacs+ local

aaa session-id common

ip subnet-zero

ip cef

!

!

no ip domain lookup

ip domain name int.voyence.com

ip name-server 192.168.21.5

!

!key chain jetef

key 10

  key-string c1sco

modemcap entry ZOOM

modemcap entry ZOOM

username jeff password 0 jeff

tacacs-server host 192.168.21.230 key cisco
tacacs-server host 10.6.230.32
tacacs-server directed-request
tacacs-server key dakey
line con 0
exec-timeout 15 0
logging synchronous
speed 115200
line aux 0
exec-timeout 15 0
password 7 104D000A0618
logging synchronous
modem InOut
modem autoconfigure discovery
terminal-type monitor
transport input all
stopbits 1
flowcontrol hardware
line vty 0 4
exec-timeout 15 0
password cisco
private
logging synchronous
!

Why are you trying to do local authentication to the router but TACACS+ authentication to the enable prompt?

You will not be prompted for a username when going into the enable prompt, in IOS when going into enable it will use the username you are currently logged in as and prompt for a password only.

I would suggest going with both exec and enable authentication using TACACS+ in this case as previously suggested:

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local

--Jesse

I had done that before but it wasnt working. Okay..I tried it again and still no luck. It doesnt prompt me for username again

on entering enable mode.

AUTHENTICATION REQUIRED

Username: uzma
Password:

=============================================================================
=          REMINDER: All activities on this device are monitored            =
=         *** All changes MUST be approved prior to execution ***           =
=============================================================================

2621-3>en
Password:
2621-3#

This is correct, as I stated in my previous post you can no accomplish what you are trying to do.  In IOS the username you use to log in

to the router is ALWAYS used when you enter enable mode.  If you want to change the user you are logged in as you will need to log out of the

router and log back in with the correct user.

--Jesse

hmm..so you're saying what I'm trying to setup isnt possible? I'll check with

the customer as to how they have set this up. Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: