Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't go PRIV on Console w TACACS active

We can get to EXEC mode on our console ports when TACACS is running, but can't go to PRIV mode. Disconnecting TACACS permits full access through the console. I know we're missing something simple, but can't find it. Please help.

18 REPLIES
Cisco Employee

Re: Can't go PRIV on Console w TACACS active

Please paste the device config to look what's been configured on the box.

-amit singh

New Member

Re: Can't go PRIV on Console w TACACS active

I've attached output from our canned aaa configuration. Thanks for your help.

Cisco Employee

Re: Can't go PRIV on Console w TACACS active

Try removing this command " aaa authorization exec default group tacacs+ none " and it should allow you to go to priviledge mode first instead of exec mode. You can add "aaa authorization network default group tacacs+ none" command instead of the above listed command.

Let me know if that helps.

-amit singh

Hall of Fame Super Silver

Re: Can't go PRIV on Console w TACACS active

Amit

I do not think that this will make much difference since Cisco by default does not do authorization on the console.

In addition to the configuration of aaa it would be very helpful to see the complete config of the console and the vty lines.

HTH

Rick

New Member

Re: Can't go PRIV on Console w TACACS active

Haven't had time to test sorry.

Yup, removing the command didn't make a difference. However, now I couldn't go to PRIV mode even through the telnet ports using a valid TACACS account (adding the suggested line didn?t make a difference).

Here are more specifics about the problem. I'm getting an "Error in Authentication" prompt when trying to PRIV mode after logging in with a TACACS account with TACACS running. I'm assuming that the local account is disabled while there's connectivity to the TACACS server because I couldn't long in at all. I'm also including console and vty port settings for your review.

Thanks,

Hall of Fame Super Silver

Re: Can't go PRIV on Console w TACACS active

Samih

I have looked at the configs and do not see anything that looks wrong. There is one thing that I would suggest doing differently, but I am not sure that it is your problem. When you configure authorization you configure "none" as the alternate method (aaa authorization exec default group tacacs+ none). I would suggest that instead of "none" that you use "if-authenticated".

I am wondering if I am understanding your symptoms correctly. Are you saying that if you login on the console that you get into user mode but that if you enter the enable command (and give the correct password) that you do not get into privilege mode?

HTH

Rick

New Member

Re: Can't go PRIV on Console w TACACS active

Yup, that's the problem in a nutshell. You can login to the console port using your TACACS account, but can't access PRIV mode once logged in.

Console login works fine once the TACACS account for the specific device is disabled or the server's disconnected.

I'll look into the "if-authenticated" command you suggest. Thanks for your effort.

Hall of Fame Super Silver

Re: Can't go PRIV on Console w TACACS active

Samih

The symptoms sound like the user ID you are using on the console may not be configured in TACACS to allow privilege mode. Are you perhaps using one ID for the console and a different ID for the vty login? If you login on the console and use the same ID that works on the vty do you still have a problem?

HTH

Rick

New Member

Re: Can't go PRIV on Console w TACACS active

The problem occurs when using the same user ID that works on vty. I get the "Error in Authentication" statement after typing enable and password.

Hall of Fame Super Silver

Re: Can't go PRIV on Console w TACACS active

Samih

I have looked at the configs that you posted and I do not find anything in them that would explain the symptoms that you describe. Are you sure that what you posted is exactly the config of the router?

If so, I would suggest running debug aaa authentication and debug tacacs authentication and then do a telnet which does go to privilege mode and a session on the console that does not. Capture and post the debug output. This may help us understand what is happening.

HTH

Rick

New Member

Re: Can't go PRIV on Console w TACACS active

I enabled debug and am submitting this attachment of the output. The problem area is in the "Enable mode attempt via console using temp000" portion of the attachment.

Let me know if you see anything useful and thanks again.

Hall of Fame Super Silver

Re: Can't go PRIV on Console w TACACS active

Samih

Thanks for the additional information. It has most, but not all, of what I asked for. I wanted to see a vty session login and go successfully to privilege mode but your debug only shows it logging in and then logging out without going to privilege mode.

One other question occurs to me, when you login on the vty you are using ID temp000, and what password are you using to get into privilege mode? And when you login on the console using ID temp000 and attempt to go to privilege mode what password are you using?

HTH

Rick

New Member

Re: Can't go PRIV on Console w TACACS active

Thanks again for your quick response Rick.

The TACACS account for "temp000" (not the real UserID) is set to put me in PRIV mode automatically. I can't type enable because I'm already there.

I'm using my domain password when logging using "temp000". I tried both my domain and the local enable secret password when logged in as "temp000" through the console port and got identical results with both.

Hall of Fame Super Silver

Re: Can't go PRIV on Console w TACACS active

Samih

The additional information here is quite helpful. It explains much of what is happening. If you have TACACS configured to put the user ID directly into privilege mode then that will work when logging in via vty but will not work when logging in via console. Putting you directly into privilege mode depends on the operation of authorization and Cisco does perform authorization on the vty lines but by default does not do this on the console. So on the console you login and get to user mode and then must enter the enable command and enter the appropriate password to get into privilege mode. When entering the enable command when TACACS is working you would normally enter the users TACACS password again to get into privilege mode.

HTH

Rick

New Member

Re: Can't go PRIV on Console w TACACS active

"When entering the enable command when TACACS is working you would normally enter the users TACACS password again to get into privilege mode."

Exactly, but it's not working. There must be something in TACACS disabling privilege mode from the console even though you've entered the correct TACACS UserID password.

Hall of Fame Super Silver

Re: Can't go PRIV on Console w TACACS active

Samih

You suggest that there must be something in TACACS disabling privilege mode from the console. I am not sure that there is a way to configure TACACS that way. I believe that it is more likely something in the configuration of the user ID in TACACS. Can you verify that the username that you are using (whatever it is) is configured in TACACS to have level 15 access for this device or device group?

HTH

Rick

New Member

Re: Can't go PRIV on Console w TACACS active

I do have level 15 access becuase I'm at the PRIV prompt when logging in using vty. The TACAS admin indicated that my 15 is set due to the domain used for authentication. Other users get the USER EXEC prompt and aren't permitted PRIV mode. This function works well.

He's upgrading to a newer version soon so I'm hoping that resolves the problem. I'll keep y'all posted.

Hall of Fame Super Silver

Re: Can't go PRIV on Console w TACACS active

Samih

Perhaps it will turn out to be a version issue and the upgrade will fix it. But I am not optimistic about that. I still believe that it is most likely an issue with the configuration of the user ID. It occurs to me that there may be an experiment that will perhaps tell us something useful. I suggest that you make another attempt to login via the console, attempt to go to privilege mode by using the enable command, enter your correct password. It will refuse you. Then look (or ask the ACS administrator to look) in the ACS Failed Attempts report and see what reason the TACACS gives for the failure. I suspect that the failure will be something like: Tacacs+ enable privilege too low.

Please give this a try and let us know the results.

HTH

Rick

434
Views
0
Helpful
18
Replies
CreatePlease login to create content