Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA +tacacs enable mode problem ** SOLVED **

It seems this topic has been covered plenty already, but I just thought I would share my experience getting tacacs+ authentication working with enable mode(privilege level 15) for our ASA5550. Probalby unique to my setup, but perhaps this can help anyone else who comes across this problem

Before I begin I would like to say I found the Cisco documentation some what confusing -

Anyway to give some background we use tacacs+ for telnet(auth/accounting) with existing cisco routers/switches. If specified in tacacs.conf a user can log on to a device with full enable access without having to first escalate privileges. I just expected the ASA would support this. This is not the case as I discovered from this thread-^1%40%40.2cc21a1e/0#selected_message "...The ASA/PIX doesn't do "exec" authorization like a router does, to put you straight into privilege level 15..."

In the tacacs.conf file on your tacacs+ server make sure you create a user called $enab15$. This is in addition to your individual user accounts. This is a global "enable" user that is used to authenticate escalating to enable privilege mode for any user in tacacs.conf.

Here is the config I'm using that works

** ASA5550 **

aaa-server MNGT-TAC protocol tacacs+

aaa-server MNGT-TAC (mngt0_0_management_int) host

key cisco

aaa authentication telnet console MNGT-TAC LOCAL

aaa authentication enable console MNGT-TAC LOCAL

aaa accounting telnet console MNGT-TAC

aaa accounting enable console MNGT-TAC

aaa accounting command MNGT-TAC


telnet mngt0_0_management_int

** TACACS server /etc/tac-plus/tacacs.conf **

accounting file = /var/log/tac-plus/account

key = cisco # comment while debug

## Global enable password

user = $enab15$ {

login = des cs23Dsd2bslz # use DES encryption


user = asa-test {

service = exec {

default attribute = permit

priv-lvl = 15


login = des bs2Apbk0xCT0D


CreatePlease to create content