Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

AAA: Tacacs enable authentication problems with CatOS

Hi,

We are experiencing problems with tacacs authentication on our CatOS switches. Initial telnet authentication works fine but when trying to access enable mode authentication fails. When I check the failed attempts.csv on my CiscoSecure ACS server, I get a "CS password invalid". The user in question is setup in ACS to have privilege 15 access to all equipment and works fine on IOS routers on the same subnet.

Switch type: WS-C6509 Software, Version NmpSW: 7.6(3)

Authentication configuration:

#tacacs+

set tacacs server XXX.XXX.XXX.XXX primary

set tacacs directedrequest enable

set tacacs key XXXXXXXXXXXX

!

#authentication

set authentication login tacacs enable telnet primary

set authentication enable tacacs enable telnet primary

!

Any help would be most appreciated.

kind regards,

Michel

4 REPLIES
New Member

Re: AAA: Tacacs enable authentication problems with CatOS

Hello,

Try this: "set tacacs directedrequest disable". I'm not sure what your config is, but here is what that line is trying to accomplish:

To enable or disable the TACACS+ directed-request option, use the set tacacs directedrequest command. When enabled, you can direct a request to any of the configured TACACS+ servers and only the username is sent to the specified server.

HTH

New Member

Re: AAA: Tacacs enable authentication problems with CatOS

Actually, I'm unable to recreate the issue by toggling that "directrequest" setting on a 6509 running ver 8.4.x using Secure ACS. What version of ACS are you using? In my case tacacs automatically put me into enable mode. Are you also doing authorization?

New Member

Re: AAA: Tacacs enable authentication problems with CatOS

We are currently running ACS version 3.3 and with no authorization enabled. I will try with authorization enabled and see if this makes for any changes in this case.

New Member

Re: AAA: Tacacs enable authentication problems with CatOS

The authorization part was what was missing and after enabling exec authorization, it put me right into enable mode.

Thanks alot for your help

-Michel

492
Views
0
Helpful
4
Replies
CreatePlease to create content