Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 6509-E and AAA

The following is the existing AAA config on my 6509 switch:

aaa new-model

aaa authentication login default group tacacs+

aaa authentication enable default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

This works except for the fact that when enable command is issued, it prompts for username again after the initial username. See below:

User Access Verification

Username: xxxxxxx

Password:

6509>en

User Access Verification

Username: xxxxxxxx

Password:

6509#

Does anyone know what may be causing this and how it can be solved.

8 REPLIES

Re: Cisco 6509-E and AAA

no aaa authentication enable default group tacacs+

A default authentication is defined for enable which overrides the enable secret

HTH

New Member

Re: Cisco 6509-E and AAA

I have apllied the following:

no aaa authentication enable default group tacacs+

See what I have:

Username: xxxxxx

Password:

6509>en

Password:

% Access denied

I still want to use tacacs+ for my priviledge password for the enable command. This is the way it works for all other devices (routers and switches) on my network except the newly deployed 6509-E

New Member

Re: Cisco 6509-E and AAA

Could this be an issue with 6509?

Many thanks for your help.

New Member

Re: Cisco 6509-E and AAA

I just got this from cisco documentation:

CSCsu21040 -- AAA Enable authentication prompts for username/password instead of just password

The caveats was solved in Release 12.2(33)SXH4

Hall of Fame Super Silver

Re: Cisco 6509-E and AAA

Hello Stephen,

with the following config it works well for us

sh run | inc aaa

aaa new-model

aaa authentication login ACS group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa accounting update newinfo

aaa accounting exec ACS start-stop group tacacs+

aaa accounting commands 1 ACS start-stop group tacacs+

aaa accounting commands 15 ACS start-stop group tacacs+

aaa session-id common

sh ver | inc image

System image file is "disk0:s72033-advipservicesk9_wan-mz.122-33.SXH2.bin"

Hope to help

Giuseppe

New Member

Re: Cisco 6509-E and AAA

Hello,

This is similar to my config:

aaa authentication login default group tacacs+

aaa authentication enable default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

The only differenet here is that you used the word option - ACS instead of using default and in your case applied login authentication ACS under line vty 0 15.

It is interesting though that you said it is working for you without bringing the second username --- which is the main issue here.

This is caused by the bug CSCsu21040. From Cisco documentation, the description given to the bug is AAA Enable authentication prompts for username/password instead of just password. This caveats was solved in release 12.2(33) SXH4

Search for CSCsu21040 from:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.pdf

New Member

Re: Cisco 6509-E and AAA

Confirmed

Hall of Fame Super Silver

Re: Cisco 6509-E and AAA

Hello Stephen,

I see in the list of affected versions that also our release should be affected.

Probably some of our additional commands like

aaa session-id common

are a workaround for this

yes the method list is ACS and it is applied on the vty

sh run | beg line vty

line vty 0 3

access-class 24 in

exec-timeout 15 0

password 7

accounting commands 1 ACS

accounting commands 15 ACS

accounting exec ACS

login authentication ACS

transport input lat pad udptn telnet rlogin ssh acercon

Hope to help

Giuseppe

716
Views
0
Helpful
8
Replies