Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

TACACS+ Configuration

Hello,

I am trying to build a tacacs+ config to roll out on my network devices.  I have an ACS doing the authentication.  What I would like to do is have the ACS authenticate my users and their enable access.  However I would like to leave console access using both the local username and the local enable password in order that I have a backdoor in case of future issues.  I have all this working except the ability to go into enable mode from console using the local enable password.  I get an auth error as I think teh device is trying to ACS auth the enable password due to this :

aaa authentication enable default group tacacs+ enable

I can get around it by applying a privlive level 15 to line to come straight into enable mode but it seems less secure.

Any ideas?

Here are the relevent bits of my config (and I do have a local username and enable defined)

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login console local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local none
aaa authorization exec console local
aaa authorization commands 0 default group tacacs+ local none
aaa authorization commands 1 default group tacacs+ local none
aaa authorization commands 15 default group tacacs+ local none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common

line con 0
password 7 <xxx>
login authentication console

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions

Re: TACACS+ Configuration

Hi Rasheed,

Unfortunately, there is no way to apply a specific method list for the enable authentication to apply to the console.

Named method list for enable authentication is not supported.



Regards,
~JG

Do rate helpful posts

2 REPLIES

Re: TACACS+ Configuration

Hi Rasheed,

Unfortunately, there is no way to apply a specific method list for the enable authentication to apply to the console.

Named method list for enable authentication is not supported.



Regards,
~JG

Do rate helpful posts

New Member

Re: TACACS+ Configuration

Thanks for the quick response.

1977
Views
0
Helpful
2
Replies
CreatePlease to create content