Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Tacacs+ Authenticating the Enable Password

I have the following configuration on my switch and it works correctly:

aaa group server tacacs+ tacacs_serv

server 192.168.70.20

aaa authentication login tac_auth group tacacs_serv local

line vty 0 15

login authentication tac_auth

transport input ssh

The configuration above works correctly, my username/pwd are authenticated via Tacacs+ and the "enable" password is confirmed via the local database on the switch.

When I make the following changes attempeing to have Tacacs validate the username/pwd as well as the "enable" password I cannot log into the switch at all.

aaa group server tacacs+ tacacs_serv

server 192.168.70.20

aaa authentication login default group tacacs_serv local

aaa authentication enable default group tacacs_serv enable

line vty 0 15

login authentication default

transport input ssh

The switch is running 12.2(44)SE6. The username/pwd are in the local database of the Linux server. The Enable password is configured in two places within the tac_plus.conf file:

host = 192.168.70.15 {

        prompt = "Enter your Username and Password. Username: "

        enable = cleartext "password"

}

AND

user = $enab15$ {

        login = cleartext "password"

Any help would be appreciated.

Thanks


7 REPLIES
Cisco Employee

Tacacs+ Authenticating the Enable Password

Dear David ,

Please post debug aaa authentication

frm the configuration you have posted it seems your switch side configuration is correct and there could be something missing on the tacacs server side .

http://my.safaribooksonline.com/book/networking/cisco-ios/0596527225/tacacsplus/i47039__heada__4_8

If you choose to use TACACS+ to authenticate your enable         password as well, then you will need to define a special enable user         called $enabl15$. The following         example creates this enable account by using the password happy. After you define this username, the         TACACS+ server will be able to handle authentication requests for the         enable password:

user = $enab15$ {
    login = cleartext happy
}

Thanks

sharad

New Member

Tacacs+ Authenticating the Enable Password

Thanks for your help. I have tried creating the special user you mentioned (enabl15 and enabl15). I did it both ways since ther was a typo. Neither work. Below is the output from the command debug aaa authentication:

Dec 10 15:08:43.155: AAA: parse name=tty0 idb type=-1 tty=-1

Dec 10 15:08:43.155: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0

Dec 10 15:08:43.155: AAA/MEMORY: create_user (0x1F3BA50) user='testuser' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)

Dec 10 15:08:43.155: AAA/AUTHEN/START (1044210600): port='tty0' list='' action=LOGIN service=ENABLE

Dec 10 15:08:43.155: AAA/AUTHEN/START (1044210600): using "default" list

Dec 10 15:08:43.155: AAA/AUTHEN/START (1044210600): Method=tacacs_serv (tacacs+)

Dec 10 15:08:43.155: TAC+: send AUTHEN/START packet ver=192 id=1044210600

Dec 10 15:08:43.457: TAC+: ver=192 id=1044210600 received AUTHEN status = GETPASS

Dec 10 15:08:43.457: AAA/AUTHEN (1044210600): status = GETPASS

% Error in authentication.

I am testing this on a 2960, running 12.2(44)SE6. Could this be a bug?

Silver

Tacacs+ Authenticating the Enable Password

Hi David,

% Error in authentication

at enable authentication usually means that the privilege level (maximum) is not 15.

Cause, when you type in "enable" it's actually "enable 15"

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
New Member

Tacacs+ Authenticating the Enable Password

Below is the config of the enabl15 user in the Tacacs config file:

user = $enabl15$ {

        login = cleartext 802.11boingo

        priv-lvl = 15

}

I did at you suggestion add the priv_lvl line. It did not change the result.

Below is the most recent debug:

CCG-WLA-TEST-SWT-1>ena

Password:

Dec 10 15:41:55.857: AAA: parse name=tty0 idb type=-1 tty=-1

Dec 10 15:41:55.857: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0

Dec 10 15:41:55.857: AAA/MEMORY: create_user (0x1E6AA88) user='testuser' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)

Dec 10 15:41:55.865: AAA/AUTHEN/START (3771241761): port='tty0' list='' action=LOGIN service=ENABLE

Dec 10 15:41:55.865: AAA/AUTHEN/START (3771241761): using "default" list

Dec 10 15:41:55.865: AAA/AUTHEN/START (3771241761): Method=tacacs_serv (tacacs+)

Dec 10 15:41:55.865: TAC+: send AUTHEN/START packet ver=192 id=-523725535

Dec 10 15:41:56.167: TAC+: ver=192 id=-523725535 received AUTHEN status = GETPASS

Dec 10 15:41:56.167: AAA/AUTHEN (3771241761): status = GETPASS

% Error in authentication.

Thanks again...

Silver

Tacacs+ Authenticating the Enable Password

Hi David,

if you notice the debug:

Dec 10 15:41:55.857: AAA/MEMORY: create_user (0x1E6AA88) user='testuser'  ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII  service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)

So enable authentication being done for testuser, so the privilege should also be inside the user: testuser.

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
New Member

Tacacs+ Authenticating the Enable Password

I added the priv-lvl to enable15:

user = $enabl15$ {

        login = cleartext 802.11boingo

        priv-lvl = 15

It is also in the testuser config:

user = testuser {

        login = PAM

        member = admin

        service = exec

        priv-lvl = 15

}

It is also in the group config:

group = admin {

        # group members who don't have their own login password will be

        # looked up in /etc/passwd

        #login = file /etc/passwd

        login = PAM

        # group members who have no expiry date set will use this one

        #expires = "Jan 1 1997"

        # only allow access to specific routers

        acl = default

        # Needed for the router to make commands available to user (subject

        # to authorization if so configured on the router

        service = exec {

                priv-lvl = 15

                #default service = permit

        }

Below is the latest debug:

CCG-WLA-TEST-SWT-1>ena

Password:

Dec 10 16:06:45.755: AAA: parse name=tty0 idb type=-1 tty=-1

Dec 10 16:06:45.755: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0

Dec 10 16:06:45.755: AAA/MEMORY: create_user (0x1F3CB4C) user='testuser' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)

Dec 10 16:06:45.755: AAA/AUTHEN/START (3173866470): port='tty0' list='' action=LOGIN service=ENABLE

Dec 10 16:06:45.755: AAA/AUTHEN/START (3173866470): using "default" list

Dec 10 16:06:45.755: AAA/AUTHEN/START (3173866470): Method=tacacs_serv (tacacs+)

Dec 10 16:06:45.755: TAC+: send AUTHEN/START packet ver=192 id=-1121100826

Dec 10 16:06:46.057: TAC+: ver=192 id=-1121100826 received AUTHEN status = GETPASS

Dec 10 16:06:46.057: AAA/AUTHEN (3173866470): status = GETPASS

% Error in authentication.

Silver

Tacacs+ Authenticating the Enable Password

Hi David,

So here is the thing, I know how to set maximum and default privilege levels on the ACS( Cisco Access control system)

Eg:

The same way, it would be different in the tac_plus server that you are using.

The configuration you have used is I suppose for default privilege level which will not help in our scenario.

Now, I am not sure of how to configure maximum privilege on the tac_plus side.

I do have a suggestion if you are interested in skipping the enable authentication mode and doing the authorization based on privilege levels.

Let me know if you are, then I can suggest you that config on the IOS side.

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
437
Views
4
Helpful
7
Replies