04-23-2009 01:35 AM - edited 03-06-2019 05:20 AM
The following is the existing AAA config on my 6509 switch:
aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
This works except for the fact that when enable command is issued, it prompts for username again after the initial username. See below:
User Access Verification
Username: xxxxxxx
Password:
6509>en
User Access Verification
Username: xxxxxxxx
Password:
6509#
Does anyone know what may be causing this and how it can be solved.
04-23-2009 02:10 AM
no aaa authentication enable default group tacacs+
A default authentication is defined for enable which overrides the enable secret
HTH
04-23-2009 02:31 AM
I have apllied the following:
no aaa authentication enable default group tacacs+
See what I have:
Username: xxxxxx
Password:
6509>en
Password:
% Access denied
I still want to use tacacs+ for my priviledge password for the enable command. This is the way it works for all other devices (routers and switches) on my network except the newly deployed 6509-E
04-23-2009 02:32 AM
Could this be an issue with 6509?
Many thanks for your help.
04-23-2009 04:40 AM
I just got this from cisco documentation:
CSCsu21040 -- AAA Enable authentication prompts for username/password instead of just password
The caveats was solved in Release 12.2(33)SXH4
04-23-2009 05:21 AM
Hello Stephen,
with the following config it works well for us
sh run | inc aaa
aaa new-model
aaa authentication login ACS group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting update newinfo
aaa accounting exec ACS start-stop group tacacs+
aaa accounting commands 1 ACS start-stop group tacacs+
aaa accounting commands 15 ACS start-stop group tacacs+
aaa session-id common
sh ver | inc image
System image file is "disk0:s72033-advipservicesk9_wan-mz.122-33.SXH2.bin"
Hope to help
Giuseppe
04-23-2009 05:37 AM
Hello,
This is similar to my config:
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
The only differenet here is that you used the word option - ACS instead of using default and in your case applied login authentication ACS under line vty 0 15.
It is interesting though that you said it is working for you without bringing the second username --- which is the main issue here.
This is caused by the bug CSCsu21040. From Cisco documentation, the description given to the bug is AAA Enable authentication prompts for username/password instead of just password. This caveats was solved in release 12.2(33) SXH4
Search for CSCsu21040 from:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.pdf
04-30-2009 05:55 AM
Confirmed
04-30-2009 07:02 AM
Hello Stephen,
I see in the list of affected versions that also our release should be affected.
Probably some of our additional commands like
aaa session-id common
are a workaround for this
yes the method list is ACS and it is applied on the vty
sh run | beg line vty
line vty 0 3
access-class 24 in
exec-timeout 15 0
password 7
accounting commands 1 ACS
accounting commands 15 ACS
accounting exec ACS
login authentication ACS
transport input lat pad udptn telnet rlogin ssh acercon
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: