https://community.cisco.com/t5/network-access-control/tacacs-force-enable-secret/m-p/3852216#M24808 <P>Change the privilege in shell profile in AAA server as&nbsp;</P><P>priv-lvl=1<BR />max_priv_lvl=15</P><P>which will keep it in login mode by default.</P> Wed, 08 May 2019 10:23:42 GMT Aravind Ravichandran 2019-05-08T10:23:42Z https://community.cisco.com/t5/network-access-control/tacacs-force-enable-secret/m-p/3852154#M24806 <P>Dear Community</P><P>&nbsp;</P><P>We are using tacacs+ for aaa purposes. Currently each user has to submit their own username and password to connect to our switches. Once they are authenticated, they will have immediately access to the enable prompt.</P><P>&nbsp;</P><P>Now we would like to force our users to re-enter their enable password again to get access to the enable prompt.</P><P>&nbsp;</P><P>Is there any possible way to get this working?</P><P>&nbsp;</P><P>Our tacacs+ configuration on the switches are as following:</P><P>&nbsp;</P><PRE>aaa new-model aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization config-commands aaa authorization commands 1 default group tacacs+ local if-authenticated aaa authorization commands 15 default group tacacs+ local if-authenticated aaa authorization exec default group tacacs+ local if-authenticated aaa accounting exec default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ service password-encryption ip tacacs source-interface Vlan1 tacacs-server host IP_OF_TACPLUS_SERVER single-connection key 0 cisco tacacs-server directed-request</PRE><P>&nbsp;</P><P>Thank you in advance for your help.</P> Wed, 08 May 2019 08:46:49 GMT https://community.cisco.com/t5/network-access-control/tacacs-force-enable-secret/m-p/3852154#M24806 musystec 2019-05-08T08:46:49Z https://community.cisco.com/t5/network-access-control/tacacs-force-enable-secret/m-p/3852216#M24808 <P>Change the privilege in shell profile in AAA server as&nbsp;</P><P>priv-lvl=1<BR />max_priv_lvl=15</P><P>which will keep it in login mode by default.</P> Wed, 08 May 2019 10:23:42 GMT https://community.cisco.com/t5/network-access-control/tacacs-force-enable-secret/m-p/3852216#M24808 Aravind Ravichandran 2019-05-08T10:23:42Z https://community.cisco.com/t5/network-access-control/tacacs-force-enable-secret/m-p/3852313#M24809 <P>Hello&nbsp;<SPAN>Aravind</SPAN></P><P>&nbsp;</P><P>Thank you for your answer. We are using tac_plus as alternative. in tac_plus it's only possible to configure&nbsp;<SPAN>priv-lvl=1</SPAN></P><P>&nbsp;</P><P>I don't see the option&nbsp;<SPAN>max_priv_lvl=15</SPAN></P><P>&nbsp;</P><P>Is there any other way to configure it directly on the switch? Since this will be a test environment, it's only affecting one device.</P> Wed, 08 May 2019 12:41:16 GMT https://community.cisco.com/t5/network-access-control/tacacs-force-enable-secret/m-p/3852313#M24809 musystec 2019-05-08T12:41:16Z https://community.cisco.com/t5/network-access-control/tacacs-force-enable-secret/m-p/3854566#M24811 <P>tac_plus is not a Cisco product and please either read its documentation or seek support in its user communities.</P> <P><A href="https://wiki.gentoo.org/wiki/Tac_plus#Authentication_to_tac_plus.conf" target="_blank">3.3 Authentication to tac_plus.conf</A>&nbsp;might be of interest.</P> Sun, 12 May 2019 07:01:35 GMT https://community.cisco.com/t5/network-access-control/tacacs-force-enable-secret/m-p/3854566#M24811 hslai 2019-05-12T07:01:35Z