ACS authentication

erkinn · ‎06-07-2006

Using ACS 3.3 and I'm a newbie. The question I have is it possible to authenticate a user, who connects via telnet and/or SSH, directly to enable mode (priv 15) using ACS? The way we currently have it setup is a user logs in and then types in enable and their password to get to enable mode. I would just like to eliminate the extra step if I could.

Richard Burts · ‎06-07-2006

I have seen this done with ACS and TACACS. Not sure if Radius does the same. On the router configure aaa for authentication and for authorization. (authentication verifies who they are and authorization allows them directly into privilege mode) In ACS be sure that you have given the proper permissions to include privilege access.

You should find that this works on the vty ports but not on the console. By default Cisco does do authorization on the console. Once you have it working properly if you want it to work on the console you would need to add aaa authorization console to the config.

HTH

Rick

HTH

Rick

bmasten · ‎06-08-2006

I would like to detailed syntax on the aaa commands for this. Sounds great

erkinn · ‎06-09-2006

Do you have an example, because I'm stuck. Here's what I currently have:

aaa authentication login default group tacacs+ line

aaa authentication login CONSOLE group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa authorization commands 1 default none

aaa authorization commands 15 default group tacacs+ none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default stop-only group tacacs+

and under my line setups I have:

line con 0

password

login authentication CONSOLE

stopbits 1

line aux 0

stopbits 1

line vty 0 4

password

transport input telnet ssh

line vty 5 15

password

transport input telnet ssh

!

situwayne · ‎07-10-2006

Is this working?

Be sure to select privilege 15 in ACS server for the user.