Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2266
Views
0
Helpful
2
Replies

TACACS+ Configuration

Go to solution
rkoudmani
Level 1
Level 1

‎01-22-2010 07:07 AM - edited ‎03-10-2019 04:54 PM

Hello,

I am trying to build a tacacs+ config to roll out on my network devices.  I have an ACS doing the authentication.  What I would like to do is have the ACS authenticate my users and their enable access.  However I would like to leave console access using both the local username and the local enable password in order that I have a backdoor in case of future issues.  I have all this working except the ability to go into enable mode from console using the local enable password.  I get an auth error as I think teh device is trying to ACS auth the enable password due to this :

aaa authentication enable default group tacacs+ enable

I can get around it by applying a privlive level 15 to line to come straight into enable mode but it seems less secure.

Any ideas?

Here are the relevent bits of my config (and I do have a local username and enable defined)

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login console local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local none
aaa authorization exec console local
aaa authorization commands 0 default group tacacs+ local none
aaa authorization commands 1 default group tacacs+ local none
aaa authorization commands 15 default group tacacs+ local none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common

line con 0
password 7 <xxx>
login authentication console

Thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎01-22-2010 08:01 AM

Hi Rasheed,

Unfortunately, there is no way to apply a specific method list for the enable authentication to apply to the console.

Named method list for enable authentication is not supported.



Regards,
~JG

Do rate helpful posts

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎01-22-2010 08:01 AM

Hi Rasheed,

Unfortunately, there is no way to apply a specific method list for the enable authentication to apply to the console.

Named method list for enable authentication is not supported.



Regards,
~JG

Do rate helpful posts

0 Helpful

Go to solution
rkoudmani
Level 1
Level 1
In response to Jagdeep Gambhir

‎01-22-2010 08:29 AM

Thanks for the quick response.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents