12-15-2005 05:02 AM
Hi,
We are experiencing problems with tacacs authentication on our CatOS switches. Initial telnet authentication works fine but when trying to access enable mode authentication fails. When I check the failed attempts.csv on my CiscoSecure ACS server, I get a "CS password invalid". The user in question is setup in ACS to have privilege 15 access to all equipment and works fine on IOS routers on the same subnet.
Switch type: WS-C6509 Software, Version NmpSW: 7.6(3)
Authentication configuration:
#tacacs+
set tacacs server XXX.XXX.XXX.XXX primary
set tacacs directedrequest enable
set tacacs key XXXXXXXXXXXX
!
#authentication
set authentication login tacacs enable telnet primary
set authentication enable tacacs enable telnet primary
!
Any help would be most appreciated.
kind regards,
Michel
12-15-2005 07:59 AM
Hello,
Try this: "set tacacs directedrequest disable". I'm not sure what your config is, but here is what that line is trying to accomplish:
To enable or disable the TACACS+ directed-request option, use the set tacacs directedrequest command. When enabled, you can direct a request to any of the configured TACACS+ servers and only the username is sent to the specified server.
HTH
12-15-2005 10:44 AM
Actually, I'm unable to recreate the issue by toggling that "directrequest" setting on a 6509 running ver 8.4.x using Secure ACS. What version of ACS are you using? In my case tacacs automatically put me into enable mode. Are you also doing authorization?
12-15-2005 10:02 PM
We are currently running ACS version 3.3 and with no authorization enabled. I will try with authorization enabled and see if this makes for any changes in this case.
12-15-2005 10:05 PM
The authorization part was what was missing and after enabling exec authorization, it put me right into enable mode.
Thanks alot for your help
-Michel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide