Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

TACACS+ ACS 3.3, PRIV 15 <enable mode> direct login

Hi,

I want to create a user with priv 15 that can login directly to the enable mode prompt from any AAA client.

Currently, the user logs in to the device then has to authenticate a second time (same PAP password) to gain priv 15.

Is a direct login possible?

Thanks

9 REPLIES

Re: TACACS+ ACS 3.3, PRIV 15 <enable mode> direct login

Router# config t

Router# line vty 0 4

Router(int-config)#privilege level 15

Hope that helps.

Re: TACACS+ ACS 3.3, PRIV 15 <enable mode> direct login

You can assign privlege level 15 for all users by applying the solution given by Colin.

Alternatively you can set the privilege level 15 via either TACACS or RADIUS.

aaa authorization exec VTY group ...

Regards

Farrukh

New Member

Re: TACACS+ ACS 3.3, PRIV 15 <enable mode> direct login

Thanks for tips.

The group that you speak of Farrukh - is this the same group that i create on the ACS?

I create one user and put it in one group on ACS platform - for RANCID backup of config files.

If I add the line that you suggest to the devices, - then anyone in that group will go straight to enable mode at login? This is the way that I want to do it...

Cheers,

Chris

Re: TACACS+ ACS 3.3, PRIV 15 <enable mode> direct login

Yup they will go straight to enable mode. If you need help in configuring it just let me know the protocol you are using (TAC/RAD) and I would be glad to help.

Regards

Farrukh

New Member

Re: TACACS+ ACS 3.3, PRIV 15 <enable mode> direct login

Hi Farrukh,

So that you are clear about what I want to do:

I work for an ISP that has just merged with another.

1st ISP uses RADIUS and collects configs via RANCID for its AS.

2nd ISP uses TACACS+ CSACS 3.3 and doesn't use

RANCID to collect configs.

So, I create a user and group on CSACS - same user, password as RADIUS for CSACS in the 2nd ISP.

I want to use that user in AS1 to collect configs from AS2 as well.

But in AS2 CSACS TACACS+ won't let me do that in the web-based config.

So, if it is an AAA client config change that is required - let me know what i should put in!

I'll try tomorrow what you suggest, but if you have anything to add it would be interesting to know (I am studying for R&S and SP CCIE presently ;-)).

Cheers,

Chris

New Member

Re: TACACS+ ACS 3.3, PRIV 15 <enable mode> direct login

Hi Farrukh,

So that you are clear about what I want to do:

I work for an ISP that has just merged with another.

1st ISP uses RADIUS and collects configs via RANCID for its AS.

2nd ISP uses TACACS+ CSACS 3.3 and doesn't use

RANCID to collect configs.

So, I create a user and group on CSACS - same user, password as RADIUS for CSACS in the 2nd ISP.

I want to use that user in AS1 to collect configs from AS2 as well.

But in AS2 CSACS TACACS+ won't let me do that in the web-based config.

So, if it is an AAA client config change that is required - let me know what i should put in!

I'll try tomorrow what you suggest, but if you have anything to add it would be interesting to know (I am studying for R&S and SP CCIE presently ;-)).

Cheers,

Chris

Re: TACACS+ ACS 3.3, PRIV 15 <enable mode> direct login

Ok great! Please have a look at this link:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml

You would be looking at the procedure described in the "Cisco Secure NT TACACS+" section.

Regards

Farrukh

New Member

Re: TACACS+ ACS 3.3, PRIV 15 <enable mode> direct login

Farrukh....

I'm trying to do this as well and haven't gotten it work yet.  I'd like a singler user to access enable mode directly via their tacacs+ account.  Please provide the ACS setup to do this, and also the config lines needed in the network device.

Thanks!

Re: TACACS+ ACS 3.3, PRIV 15 <enable mode> direct login

Hi ,


Here are the IOS commands,


Router(config)# username [username] password [password]
        tacacs-server host [ip]
        tacacs-server key [key]
        aaa new-model
        aaa authentication login default group tacacs+ local
        aaa authorization exec default group tacacs+ if-authenticated



Bring users or group at level 15
    1.  Go to user or group setup in ACS
    2.  Drop down to "TACACS+ Settings"
    3.  Place a check in "Shell (Exec)"
    4.  Place a check in "Privilege level" and enter "15" in the adjacent field



Regards,

~JG


Do rate helpful posts!

2187
Views
5
Helpful
9
Replies
CreatePlease to create content