Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2082
Views
0
Helpful
2
Replies

Two different "enable secret level 15" for console-access?

wagnerch
Level 1
Level 1

‎03-11-2003 12:01 AM - edited ‎03-10-2019 07:11 AM

Hi,

we are using tacacs while normal operation but we want to be able to have two console passwords for troubleshooting if connectivity is lost

In many cases we are not onsite in case of an error and in such a situation we want to give a temporary access to any other person (eg. the customer technician or any other technician of our enterprise who drives to the customer). This specific password will be changed afterwards but we do not want to give this person our own console-password which is the same on all boxes, else we would need to change our password every week on every box.

Is there any solution for having two different passwords with completely full authorization (full rights) without connectivity to a tacacs-server?

Regards,

Chris

Labels:
0 Helpful
2 Replies 2

liviu.gheorghe
Spotlight
Spotlight

‎03-11-2003 03:33 AM

If you are using aaa new-model for authenticating users on the cisco box, you can define a user with level 15 access with the user command:

username test-user privilege 15 password ...

The you can modify the aaa authentication command to check first the tacacs server then the local username database in case the tacacs server is unreachable:

aaa authentication login default group tacacs+ local

As long as the tacacs server is reachable the local password is not checked, so all logins are authenticated by the server.

Regards, LG
*** Please Rate All Helpful Responses ***
0 Helpful

wagnerch
Level 1
Level 1
In response to liviu.gheorghe

‎03-11-2003 04:14 AM

This is also what I thought, but at the moment I have the problem that if I enter the following config-commands I do not automatically enter privilege level 15 after the login. So the user still needs a enable-password for getting privilege15.

aaa authentication login console local

aaa authorization exec console local

username test privilege 15 password test

line con 0

authorization exec console

login authentication console

The user test still gets only the privilege-level 1 and not 15. So the user test still needs my enable secret password for level 15-commands which is not what I wanted.

Regards

Chris

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents