topic Re: Want to directly login to # prompt in Network Access Control

Want to directly login to # prompt

anujseth1.con — Mon, 11 Mar 2019 02:08:23 GMT

I am having a ASR 1002 V 12.2(33)XND2twhich is running on Tacas

I want when i login it shoudl directly go into the # prompt. I am not interested in typing enable on > prompt.

The configs are

aa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default none

!aaa authorization console

!aaa authorization config-commands

!aaa authorization template

!aaa authorization exec default group tacacs+ local

!aaa authorization commands 15 default local none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

tacacs-server host XXXXX

no tacacs-server directed-request

Re: Want to directly login to # prompt

spindoctor64 — Tue, 29 May 2012 13:58:45 GMT

Assuming Cisco ACS v5.x:

Create a new Shell Profile:

Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles

Click the Create button at the bottom of the page.

On the General tab, give the profile a name, then go to the Common Tasks tab.

Under Privilege Level, set both the Default Privilege and the Maximum Privilege to 15.

Click the Submit button at the bottom of the page.

Create a new Command Set:

Policy Elements > Authorization and Permissions > Device Administration > Command Sets

Click the Create button at the bottom of the page.

Check the box next to "Permit any command that is not in the table below"

Click the Submit button at the bottom of the page.

Create a new Authorization policy:

Access Policies > Access Services > Default Device Admin > Authorization

Click the Create button at the bottom of the page.

Under Results:

Set the Shell Profile to the one you just created

Set the Command Sets to the one you just created

Click the OK button at the bottom of the window.

Click the Save Changes button at the bottom of the page.

I hope this helps,

--Chris

Re: Want to directly login to # prompt

anujseth1.con — Tue, 29 May 2012 14:02:19 GMT

Hi Chris dont have access via web. Can you suggest the CLI commands..

As per my understanding We are already haveing aaa accounting commands 15 default start-stop group tacacs+

Re: Want to directly login to # prompt

spindoctor64 — Tue, 29 May 2012 14:41:51 GMT

aaa accounting only has to do with logging the commands, not whether the commands are authorized.

You generally also want your authentication and authorization to come from the same place, such as the ACS only.

Your config:

aaa new-model

aaa authentication login default group tacacs+ local <--Check TACACS+ to validate users and assign priv level when logging in

aaa authentication enable default none

!aaa authorization console

!aaa authorization config-commands

!aaa authorization template

!aaa authorization exec default group tacacs+ local

!aaa authorization commands 15 default local none <--Check local device for command authorization

aaa accounting exec default start-stop group tacacs+ <----------------\

aaa accounting commands 15 default start-stop group tacacs+ <----\ Accounting commands log everything to ACS

aaa accounting connection default start-stop group tacacs+ <---------/

aaa accounting system default start-stop group tacacs+ <-------------/

aaa session-id common

When a user logs into your device, TACACS+ validates that the user has an account, AND assigns the initial privilege level. You would need to configure a privilege level of 15 on the ACS to be able to skip directly to the privileged exec mode (# prompt).

Once that is done, you would also want to change your command authorizations to come from the ACS instead of the local device:

aaa authorization commands 0 default group tacacs+ local none

aaa authorization commands 1 default group tacacs+ local none

aaa authorization commands 15 default group tacacs+ local if-authenticated

I hope this helps.

--Chris