Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

TACACS+ Telnet login authentication, local enable passwords.

I've managed to configure TACACS+ authentication for telnet sessions to some network devices and it works great. The only problem is that you when you switch to enable mode you need to specify the local enable password.

Is there a way to configure a device so that once a user is authenticated via tacacs+, they will no longer need to provide any more passwords?

Cheers

5 REPLIES
Community Member

Re: TACACS+ Telnet login authentication, local enable passwords.

Yes, use:

aaa authorization exec default tacacs+

and assign the user/group privilege level 15

Community Member

Re: TACACS+ Telnet login authentication, local enable passwords.

I've added that into the config on the switch, now I cannot get telnet access, just get 'authorization failed' message. I can still gain access through the console though. What has happened? Here's the current config:

aaa new-model

aaa authentication login default group tacacs+

aaa authorization exec default group tacacs+

aaa authorization network default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

enable secret 5 $1$DC0B******************

enable password *******************

If I take out the line "aaa authorization exec default group tacacs+", I can then telnet into the box again.

Here's the debug info for aaa authorization when that line is added:

18:22:29: AAA: parse name=tty1 idb type=-1 tty=-1

18:22:29: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 chann

el=0

18:22:29: AAA/MEMORY: create_user (0x80E58080) user='' ruser='' port='tty1' rem_

addr='172.17.4.10' authen_type=ASCII service=LOGIN priv=1

18:22:43: tty1 AAA/AUTHOR/EXEC (2173575078): Port='tty1' list='' service=EXEC

18:22:43: AAA/AUTHOR/EXEC: tty1 (2173575078) user='carlina'

18:22:43: tty1 AAA/AUTHOR/EXEC (2173575078): send AV service=shell

18:22:43: tty1 AAA/AUTHOR/EXEC (2173575078): send AV cmd*

18:22:43: tty1 AAA/AUTHOR/EXEC (2173575078): found list "default"

18:22:43: tty1 AAA/AUTHOR/EXEC (2173575078): Method=tacacs+ (tacacs+)

18:22:43: AAA/AUTHOR/TAC+: (2173575078): user=carlina

18:22:43: AAA/AUTHOR/TAC+: (2173575078): send AV service=shell

18:22:43: AAA/AUTHOR/TAC+: (2173575078): send AV cmd*

18:22:44: AAA/AUTHOR (2173575078): Post authorization status = FAIL

18:22:44: AAA/AUTHOR/EXEC: Authorization FAILED

18:22:46: AAA/MEMORY: free_user (0x80E58080) user='carlina' ruser='' port='tty1'

rem_addr='172.17.4.10' authen_type=ASCII service=LOGIN priv=1

Thanks for any help you could provide.

Community Member

Re: TACACS+ Telnet login authentication, local enable passwords.

You need the service=shell AVP

Check out:

http://www.cisco.com/warp/public/480/PRIV.html

Community Member

Re: TACACS+ Telnet login authentication, local enable passwords.

Excellent, thanks for the info, now managed to get this working as I wanted it.

So if I have a bunch of admins I want to assign level 15 access, I can just add them into a appropriately configured user group on the AAA server, yes?

Community Member

Re: TACACS+ Telnet login authentication, local enable passwords.

You got it, just assign priv 15 to the group.

144
Views
15
Helpful
5
Replies
CreatePlease to create content