https://community.cisco.com/t5/network-access-control/tacacs-configuration-network-devices-asking-for-enable-password/m-p/3699280#M25214 <P>Also check out several T+ resources&nbsp;@ <A href="http://cs.co/ise-guides" target="_blank">http://cs.co/ise-guides</A></P> <P>The login user needs a default privilege set to its enable level for this to work, besides the configuration line provided.</P> Sun, 02 Sep 2018 02:53:55 GMT hslai 2018-09-02T02:53:55Z https://community.cisco.com/t5/network-access-control/tacacs-configuration-network-devices-asking-for-enable-password/m-p/3696666#M25210 <P>Hi Cisco Community,</P> <P>&nbsp;</P> <P>I'm new on configuring tacacs, hope you can help me.</P> <P>&nbsp;</P> <P>I have a issue, every time I log in using my TACACS+ account it still ask me for the&nbsp;<STRONG>enable password</STRONG></P> <P>&nbsp;</P> <P>based on the config below, what is the command here that still asks me for the enable password? or should I delete the enable password itself to bypass that?&nbsp;</P> <P>&nbsp;</P> <P>my goal is:</P> <P>1. whenever I logged in my credentials using my tacacs+ account, i can proceed already to priv mode and the device should not ask for the enable password.</P> <P>2. are all the config here are necessary? if no, can you help me identify what are the unnecessary commands to achieve goal 1?</P> <P>&nbsp;</P> <P><STRONG>CONFIG:</STRONG></P> <P>aaa new-model<BR />aaa group server tacacs+ default<BR /> server 172.x.x.x<BR />!<BR />aaa group server tacacs+ ciscosecure<BR /> server 172.x.x.x.x<BR />!<BR />aaa authentication login default group tacacs+ line<BR />aaa authentication login console line none<BR />aaa authorization config-commands<BR />aaa authorization commands 0 default group tacacs+ none <BR />aaa authorization commands 15 default group tacacs+ none <BR />aaa accounting exec default start-stop group tacacs+<BR />aaa accounting commands 0 default start-stop group tacacs+<BR />aaa accounting commands 1 default start-stop group tacacs+<BR />aaa accounting commands 15 default start-stop group tacacs+<BR />!<BR />aaa session-id common</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>tacacs-server host 172.x.x.x<BR />tacacs-server directed-request<BR />tacacs-server key 7 030A0B090A1A2F481D1B<BR />radius-server source-ports 1645-1646</P> Mon, 11 Mar 2019 08:48:57 GMT https://community.cisco.com/t5/network-access-control/tacacs-configuration-network-devices-asking-for-enable-password/m-p/3696666#M25210 joseluis 2019-03-11T08:48:57Z https://community.cisco.com/t5/network-access-control/tacacs-configuration-network-devices-asking-for-enable-password/m-p/3696755#M25212 <P>Add below line.</P> <P>&nbsp;</P> <P><STRONG>aaa authorization exec default group tacacs+ local if-authenticated</STRONG></P> <P>“if-authenticated” keyword at the end of this line, if authenticated we will immediately be dropped into exec (enable) mode.</P> <P>&nbsp;</P> <P>Make sure you do this using test device always with console access, if you lockout yourself you have console access to fix.</P> <P>&nbsp;</P> <P>Test and Advise.</P> <P>&nbsp;</P> Wed, 29 Aug 2018 06:40:20 GMT https://community.cisco.com/t5/network-access-control/tacacs-configuration-network-devices-asking-for-enable-password/m-p/3696755#M25212 balaji.bandi 2018-08-29T06:40:20Z https://community.cisco.com/t5/network-access-control/tacacs-configuration-network-devices-asking-for-enable-password/m-p/3699280#M25214 <P>Also check out several T+ resources&nbsp;@ <A href="http://cs.co/ise-guides" target="_blank">http://cs.co/ise-guides</A></P> <P>The login user needs a default privilege set to its enable level for this to work, besides the configuration line provided.</P> Sun, 02 Sep 2018 02:53:55 GMT https://community.cisco.com/t5/network-access-control/tacacs-configuration-network-devices-asking-for-enable-password/m-p/3699280#M25214 hslai 2018-09-02T02:53:55Z