Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Using ACS v3.3 login sends me directly to enable

I'm using ACS v3.3 to authenticate my network devices. When I log into the managed devices, it takes me directly to enable mode. I looked through all the config options and can't seem to figure out why it would do this. Has anyone seem this before?

4 REPLIES

Re: Using ACS v3.3 login sends me directly to enable

That is due to exec authorization. Remove the priv 15 for that user

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Uncheck "Privilege level" and clear "15" in the adjacent field

Or on aaa-client remove

aaa authorization exec default group tacacs+ if-authenticated

by

no aaa authorization exec default group tacacs+ if-authenticated

Regards,

~JG

Do rate helpful posts

New Member

Re: Using ACS v3.3 login sends me directly to enable

That works partly. Now I get the regular prompt. However, i can get in without a password. As long as my userid is valid, it will let me in with any password.

Thanks for your feedback.

Re: Using ACS v3.3 login sends me directly to enable

Do you have this command,

aaa authentication login default group tacacs local

Please share your aaa config from router.

Regards,

~JG

Do rate helpful posts

New Member

Re: Using ACS v3.3 login sends me directly to enable

Here is my config.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login console enable

aaa authentication login no_tacacs line

aaa authentication enable default group tacacs+ enable

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

150
Views
0
Helpful
4
Replies
CreatePlease to create content