Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Tacacs or Enable Secret Not Working

hi experts,

i have a 2821 router set up for tacacs for default login and configured enable secret. the funny thing is that when i telnet into this device and login using my tacacs credentials, it directly prompts me to privilege mode (router#). my other device is prompting me to user mode (router>). can anyone help me how to configure this router to user mode and ask for the enable secret.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Tacacs or Enable Secret Not Working

Check your VTY lines. Look for a statement like-

privilege level 15

If it's there, remove it. If it's not there, the privilege is probably in ACS.

5 REPLIES

Re: Tacacs or Enable Secret Not Working

Check your VTY lines. Look for a statement like-

privilege level 15

If it's there, remove it. If it's not there, the privilege is probably in ACS.

Re: Tacacs or Enable Secret Not Working

hi collin,

thanks! you were right. there was this config under line vty. i've removed it and prompted me to user mode.

Community Member

Re: Tacacs or Enable Secret Not Working

Your tacacs-server can provide 3 things (AAA):

A - Authentication (who are you?)

A - Authorization (here we can define what method/database to use for the login-privilege for a particular group - if we want that!)

A - Accounting (who did what?)

The configured aaa-groups can be assigned to line con 0, line vty ..., ...

router(config-line)#login authentication default

("default" is the name of the list configurerd with "aaa ...")

Maybe you can post the relavant part of your config (aaa...; line ...)

Re: Tacacs or Enable Secret Not Working

Hi John,

You need to remove this command from the router,

aaa authorization exec default group tacacs

or

You can also remove the shell privilege 15 from ACS group setup.

Regards,

~JG

Do rate helpful posts

Community Member

Re: Tacacs or Enable Secret Not Working

Think I didn't explain very well...

I was thinking of something like that:

aaa new-model

aaa authentication login TELNET group tacacs+

line vty 0 4

login authentication TELNET

line vty 5 15

login authentication TELNET

"TELNET" ist just the name of my list.

There is also a default list which uses the local database. I didn't define anything for authorization, so the local database (-> enable-password) is used.

HTH

3414
Views
5
Helpful
5
Replies
CreatePlease to create content