Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

TACACS+ and ACS 2.6/NT -- stupid questions I think ;-)

Hi folks:

I know this is going to sound dumb, but I have some questions related to my first-ever TACACS+ install. I have tons of R/S experience in almost everything...except AAA. (grin)


1) How can I disconnect a user after their usage quota expires? I have ACS set up to track usage and restrict to an absolute time. It tracks total number of accesses to the NAS but never seems to keep the time.

2) Can I authorize certain commands to be available in user mode that would normally only be accessible via enable mode? Or do I have to specifically allow enable mode and then permit/deny CLI commands?

3) When users authenticate to the NAS and then jump off to other devices via reverse telnet, they are challenged for the same TACACS username/pw again. Why?

Thanks all, I really appreciate it. It's driving me nuts and CCO is quite confusing on the subject of AAA to me.



Re: TACACS+ and ACS 2.6/NT -- stupid questions I think ;-)

Often times complex troubleshooting issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, it’s often difficult to do so for this type of issue.

To utilize the resources at our Technical Assistance Center, please visit and to open a case with one of our TAC engineers, visit

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

New Member

Re: TACACS+ and ACS 2.6/NT -- stupid questions I think ;-)

Thanks, I didn't want to open a TAC case for a 'simple' configuration issue, but I suppose there's no alternative at this point. I can't wait too much longer to implement.

Thanks again!


New Member

Re: TACACS+ and ACS 2.6/NT -- stupid questions I think ;-)

I'll try to answer your questions to the best of my ability.

1) I don't believe there's a way to limit access via quota. As you say you can track start/stop records to give usage per user or group but that could be used for billing purposes as opposed to access restriction.

2)Enable mode commands will only be allowed once a user is in enable mode, regardelss of whether they have gone through TACACS+ or not. As you rightly say, you will have to allow enable mode and then permit/deny IOS commands. What you may be thinking of is that if you allow a user access level 15, say, this will 'catapult' them straight to enable mode so they do not have to enter the ENABLE command from what appears to be their 'user' mode when they login.

3)Authentication via TACACS+ will be on a per-device basis, whether you are going in via console, vty line or async access, for example. The AAA model is present in each device you reverse telnet to, or think about this way, if you had TACACS+ auentication on some devices and local user/passwd on others, you must authenticate to each devie separately with the specified login methods. (It just happens all your kit is set up for AAA)


CreatePlease to create content