https://community.cisco.com/t5/network-access-control/the-need-for-enable-password/m-p/2101055#M142315 <HTML><HEAD></HEAD><BODY><P>Patrick,</P><P></P><P>Excellent news, have a nice day.</P></BODY></HTML> Mon, 19 Nov 2012 18:55:20 GMT mauzamor 2012-11-19T18:55:20Z https://community.cisco.com/t5/network-access-control/the-need-for-enable-password/m-p/2101050#M142306 <P>Hi,</P><P></P><P>If all users that have acces to the network equipment will be given level 15, is there any reason to have an enable password?</P><P>Just seems like another step to authenticate - and if we are using the same passowrd for enable that we are for the login, I don't see the point.</P><P></P><P>Thanks, Pat.&nbsp;&nbsp;&nbsp;&nbsp; </P> Mon, 11 Mar 2019 02:48:11 GMT https://community.cisco.com/t5/network-access-control/the-need-for-enable-password/m-p/2101050#M142306 Patrick McHenry 2019-03-11T02:48:11Z https://community.cisco.com/t5/network-access-control/the-need-for-enable-password/m-p/2101051#M142308 <HTML><HEAD></HEAD><BODY><P>Hi Patrick,</P><P></P><P>The enable password in this scenario may work as a fallback method, but is up to you to decide this. In case that you want to skip the enable password prompt you can use the command:</P><P></P><P>aaa authorization exec default group tacacs+ local</P><P></P><P>This command will check the privilege level of each user and will put him into privilege mode right after the credentials have been checked.</P><P></P><P>This feature only works for IOS devices (the ASA or PIX doesn't have this feature)</P><P></P><P>Let me know if it helps.</P></BODY></HTML> Mon, 19 Nov 2012 14:40:26 GMT https://community.cisco.com/t5/network-access-control/the-need-for-enable-password/m-p/2101051#M142308 mauzamor 2012-11-19T14:40:26Z https://community.cisco.com/t5/network-access-control/the-need-for-enable-password/m-p/2101052#M142310 <HTML><HEAD></HEAD><BODY><P>Thanks Mauicio, </P><P></P><P>This is the config. We are trying to authenticate via tacacs that is configured to query AD. And, it is working great. I just want to make it so we can go directly into priv mode after logging in with username and password. Also, the username and password prompts aren't taking. I still get the login promt.</P><P></P><P></P><P>aaa new-model</P><P>!</P><P>aaa authentication password-prompt Password:</P><P>aaa authentication username-prompt Username:</P><P>aaa authentication login default group tacacs+ local</P><P>aaa authentication login con group tacacs+ local</P><P>aaa authentication enable default group tacacs+ enable</P><P>!</P><P>tacacs-server host 10.10.40.50 key 7 XXXXXXXXXXXXXXX</P><P>!</P><P>enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX</P><P>!</P><P>line con 0</P><P> login authentication con</P><P> no modem enable</P><P>line aux 0</P><P>line 2</P><P> no activation-character</P><P> no exec</P><P> transport preferred none</P><P> transport input all</P><P>line 3</P><P> no exec</P><P>line vty 0 4</P><P> length 0</P><P> transport input ssh</P><P>!</P><P></P><P>Thanks again.</P></BODY></HTML> Mon, 19 Nov 2012 14:56:03 GMT https://community.cisco.com/t5/network-access-control/the-need-for-enable-password/m-p/2101052#M142310 Patrick McHenry 2012-11-19T14:56:03Z https://community.cisco.com/t5/network-access-control/the-need-for-enable-password/m-p/2101053#M142312 <HTML><HEAD></HEAD><BODY><P>That's the expected behavior, if you want to change this behavior then you are missing one command:</P><P></P><P>aaa authorization exec default group tacacs+ local</P><P></P><P>Use this command and let me know how it goes.</P></BODY></HTML> Mon, 19 Nov 2012 16:08:41 GMT https://community.cisco.com/t5/network-access-control/the-need-for-enable-password/m-p/2101053#M142312 mauzamor 2012-11-19T16:08:41Z https://community.cisco.com/t5/network-access-control/the-need-for-enable-password/m-p/2101054#M142313 <HTML><HEAD></HEAD><BODY><P> Thanks, Mauricio - it worked.</P></BODY></HTML> Mon, 19 Nov 2012 18:51:54 GMT https://community.cisco.com/t5/network-access-control/the-need-for-enable-password/m-p/2101054#M142313 Patrick McHenry 2012-11-19T18:51:54Z https://community.cisco.com/t5/network-access-control/the-need-for-enable-password/m-p/2101055#M142315 <HTML><HEAD></HEAD><BODY><P>Patrick,</P><P></P><P>Excellent news, have a nice day.</P></BODY></HTML> Mon, 19 Nov 2012 18:55:20 GMT https://community.cisco.com/t5/network-access-control/the-need-for-enable-password/m-p/2101055#M142315 mauzamor 2012-11-19T18:55:20Z https://community.cisco.com/t5/network-access-control/the-need-for-enable-password/m-p/2101056#M142317 <HTML><HEAD></HEAD><BODY><P>Can you think of any reason that my prompt isn't changing?</P><P></P><P>It still says login as: Then, password:&nbsp; instead of Username: then, Password:.</P><P></P><P>Thanks, pat.</P></BODY></HTML> Mon, 19 Nov 2012 19:08:28 GMT https://community.cisco.com/t5/network-access-control/the-need-for-enable-password/m-p/2101056#M142317 Patrick McHenry 2012-11-19T19:08:28Z