AAA: Tacacs enable authentication problems with CatOS

6mpedersen · ‎12-15-2005

Hi,

We are experiencing problems with tacacs authentication on our CatOS switches. Initial telnet authentication works fine but when trying to access enable mode authentication fails. When I check the failed attempts.csv on my CiscoSecure ACS server, I get a "CS password invalid". The user in question is setup in ACS to have privilege 15 access to all equipment and works fine on IOS routers on the same subnet.

Switch type: WS-C6509 Software, Version NmpSW: 7.6(3)

Authentication configuration:

#tacacs+

set tacacs server XXX.XXX.XXX.XXX primary

set tacacs directedrequest enable

set tacacs key XXXXXXXXXXXX

!

#authentication

set authentication login tacacs enable telnet primary

set authentication enable tacacs enable telnet primary

!

Any help would be most appreciated.

kind regards,

Michel

ToddWarren · ‎12-15-2005

Hello,

Try this: "set tacacs directedrequest disable". I'm not sure what your config is, but here is what that line is trying to accomplish:

To enable or disable the TACACS+ directed-request option, use the set tacacs directedrequest command. When enabled, you can direct a request to any of the configured TACACS+ servers and only the username is sent to the specified server.

HTH

ToddWarren · ‎12-15-2005

Actually, I'm unable to recreate the issue by toggling that "directrequest" setting on a 6509 running ver 8.4.x using Secure ACS. What version of ACS are you using? In my case tacacs automatically put me into enable mode. Are you also doing authorization?

6mpedersen · ‎12-15-2005

We are currently running ACS version 3.3 and with no authorization enabled. I will try with authorization enabled and see if this makes for any changes in this case.

6mpedersen · ‎12-15-2005

The authorization part was what was missing and after enabling exec authorization, it put me right into enable mode.

Thanks alot for your help

-Michel