https://community.cisco.com/t5/network-access-control/struggling-with-aaa-authentication-using-tacacs/m-p/3679292#M25312 <P>Greetings,</P> <P>&nbsp;</P> <P>I am struggling to configure aaa authentication on my cisco switches.&nbsp; Currently all of my devices are using a Corporate based Cisco ISE server to do TACACS+.&nbsp; We are being spun out as a standalone company and I have to bring up our own TACACS+ server. To that end, I have purchased an application called <A href="http://xperiencetech.com/" target="_blank">ClearBox TACACS+ </A></P> <P>&nbsp;</P> <P>I have the TACACS+ server setup to do a Windows AD Global Group lookup.&nbsp; So far so good.</P> <P>&nbsp;</P> <P>This is the aaa setup on the switch:</P> <P style="padding-left: 30px;">enable secret 5 [Secret 5 Hash Here]<BR />username admin privilege 15 password 7 [Secret 7 hash here]<BR />aaa new-model<BR />aaa group server tacacs+ WPLG_TACACS<BR /> server name WPLG_TAC<BR /> ip tacacs source-interface Vlan10<BR />aaa authentication login default group WPLG_TACACS local<BR />aaa authentication login no_tacacs local<BR />aaa authentication enable default group WPLG_TACACS enable<BR />aaa accounting update newinfo<BR />aaa accounting exec default stop-only group WPLG_TACACS<BR />aaa accounting commands 0 default stop-only group WPLG_TACACS<BR />aaa accounting commands 1 default stop-only group WPLG_TACACS<BR />aaa accounting commands 7 default start-stop group WPLG_TACACS<BR />aaa accounting commands 15 default stop-only group WPLG_TACACS<BR />aaa session-id common</P> <P style="padding-left: 30px;">tacacs server WPLG_TAC<BR /> address ipv4 xxx.xxx.xxx.xxx<BR /> key 7 [Secret 7 hash here]</P> <P style="padding-left: 30px;">&nbsp;</P> <P style="padding-left: 30px;">line con 0<BR />&nbsp;exec-timeout 60 0<BR />&nbsp;privilege level 15<BR />&nbsp;login authentication no_tacacs<BR />&nbsp;stopbits 1<BR />line vty 0<BR />&nbsp;exec-timeout 60 0<BR />&nbsp;transport input ssh<BR />line vty 1 4<BR />&nbsp;exec-timeout 60 0<BR />&nbsp;length 0<BR />&nbsp;transport input ssh<BR />line vty 5 15<BR />&nbsp;exec-timeout 60 0</P> <UL> <LI><A id="link_10" class="lia-link-navigation lia-js-predefined-label" href="https://community.cisco.com/t5/forums/postpage/board-id/5936-discussions-aaa-identity-and-nac#" name="AAA" target="_blank">AAA</A></LI> </UL> <P><BR />&nbsp;transport input ssh</P> <P>&nbsp;</P> <P style="padding-left: 30px;">&nbsp;</P> <P style="padding-left: 30px;">Here is my Authentication problem:&nbsp; With the line "aaa authentication enable default group WPLG_TACACS enable" in the config, I can log in with my Domain user name and password when using putty SSH. This works as expected.</P> <P style="padding-left: 30px;">&nbsp;</P> <P style="padding-left: 30px;">From a new console session I&nbsp;get prompted for a username/password, and I can login as admin with the local admin password. That brings me right to the # prompt, enable mode.&nbsp; Now, if I use the disable command to go back to the &gt; prompt and then try to use the enable command again, the enable password will always fail. The admin password will also fail. I have to logout and start the console session again.&nbsp;&nbsp;</P> <P style="padding-left: 30px;">&nbsp;</P> <P style="padding-left: 30px;">If I remove this line; "aaa authentication enable default group WPLG_TACACS enable", I can log in using putty SSH, authenticate against my Windows AD Group and when using a console login I get prompted for the local admin username and password, I get to the enable prompt #. I can use the disable command to get back to the &gt; prompt and then when I use the enable command, the local enable password will work.</P> <P style="padding-left: 30px;">&nbsp;</P> <P style="padding-left: 30px;">Is the normal behavior of do I have something reconfigured?</P> <P style="padding-left: 30px;">&nbsp;</P> <P style="padding-left: 30px;">Thanks!</P> <P style="padding-left: 30px;">&nbsp;</P> Wed, 01 Aug 2018 16:01:44 GMT jeggleston 2018-08-01T16:01:44Z https://community.cisco.com/t5/network-access-control/struggling-with-aaa-authentication-using-tacacs/m-p/3679292#M25312 <P>Greetings,</P> <P>&nbsp;</P> <P>I am struggling to configure aaa authentication on my cisco switches.&nbsp; Currently all of my devices are using a Corporate based Cisco ISE server to do TACACS+.&nbsp; We are being spun out as a standalone company and I have to bring up our own TACACS+ server. To that end, I have purchased an application called <A href="http://xperiencetech.com/" target="_blank">ClearBox TACACS+ </A></P> <P>&nbsp;</P> <P>I have the TACACS+ server setup to do a Windows AD Global Group lookup.&nbsp; So far so good.</P> <P>&nbsp;</P> <P>This is the aaa setup on the switch:</P> <P style="padding-left: 30px;">enable secret 5 [Secret 5 Hash Here]<BR />username admin privilege 15 password 7 [Secret 7 hash here]<BR />aaa new-model<BR />aaa group server tacacs+ WPLG_TACACS<BR /> server name WPLG_TAC<BR /> ip tacacs source-interface Vlan10<BR />aaa authentication login default group WPLG_TACACS local<BR />aaa authentication login no_tacacs local<BR />aaa authentication enable default group WPLG_TACACS enable<BR />aaa accounting update newinfo<BR />aaa accounting exec default stop-only group WPLG_TACACS<BR />aaa accounting commands 0 default stop-only group WPLG_TACACS<BR />aaa accounting commands 1 default stop-only group WPLG_TACACS<BR />aaa accounting commands 7 default start-stop group WPLG_TACACS<BR />aaa accounting commands 15 default stop-only group WPLG_TACACS<BR />aaa session-id common</P> <P style="padding-left: 30px;">tacacs server WPLG_TAC<BR /> address ipv4 xxx.xxx.xxx.xxx<BR /> key 7 [Secret 7 hash here]</P> <P style="padding-left: 30px;">&nbsp;</P> <P style="padding-left: 30px;">line con 0<BR />&nbsp;exec-timeout 60 0<BR />&nbsp;privilege level 15<BR />&nbsp;login authentication no_tacacs<BR />&nbsp;stopbits 1<BR />line vty 0<BR />&nbsp;exec-timeout 60 0<BR />&nbsp;transport input ssh<BR />line vty 1 4<BR />&nbsp;exec-timeout 60 0<BR />&nbsp;length 0<BR />&nbsp;transport input ssh<BR />line vty 5 15<BR />&nbsp;exec-timeout 60 0</P> <UL> <LI><A id="link_10" class="lia-link-navigation lia-js-predefined-label" href="https://community.cisco.com/t5/forums/postpage/board-id/5936-discussions-aaa-identity-and-nac#" name="AAA" target="_blank">AAA</A></LI> </UL> <P><BR />&nbsp;transport input ssh</P> <P>&nbsp;</P> <P style="padding-left: 30px;">&nbsp;</P> <P style="padding-left: 30px;">Here is my Authentication problem:&nbsp; With the line "aaa authentication enable default group WPLG_TACACS enable" in the config, I can log in with my Domain user name and password when using putty SSH. This works as expected.</P> <P style="padding-left: 30px;">&nbsp;</P> <P style="padding-left: 30px;">From a new console session I&nbsp;get prompted for a username/password, and I can login as admin with the local admin password. That brings me right to the # prompt, enable mode.&nbsp; Now, if I use the disable command to go back to the &gt; prompt and then try to use the enable command again, the enable password will always fail. The admin password will also fail. I have to logout and start the console session again.&nbsp;&nbsp;</P> <P style="padding-left: 30px;">&nbsp;</P> <P style="padding-left: 30px;">If I remove this line; "aaa authentication enable default group WPLG_TACACS enable", I can log in using putty SSH, authenticate against my Windows AD Group and when using a console login I get prompted for the local admin username and password, I get to the enable prompt #. I can use the disable command to get back to the &gt; prompt and then when I use the enable command, the local enable password will work.</P> <P style="padding-left: 30px;">&nbsp;</P> <P style="padding-left: 30px;">Is the normal behavior of do I have something reconfigured?</P> <P style="padding-left: 30px;">&nbsp;</P> <P style="padding-left: 30px;">Thanks!</P> <P style="padding-left: 30px;">&nbsp;</P> Wed, 01 Aug 2018 16:01:44 GMT https://community.cisco.com/t5/network-access-control/struggling-with-aaa-authentication-using-tacacs/m-p/3679292#M25312 jeggleston 2018-08-01T16:01:44Z https://community.cisco.com/t5/network-access-control/struggling-with-aaa-authentication-using-tacacs/m-p/3679420#M25313 Sorry, the line:<BR />Is the normal behavior of do I have something reconfigured?<BR />Should have been:<BR />Is this behavior normal or do I have something mis-configured? Wed, 01 Aug 2018 18:04:38 GMT https://community.cisco.com/t5/network-access-control/struggling-with-aaa-authentication-using-tacacs/m-p/3679420#M25313 jeggleston 2018-08-01T18:04:38Z https://community.cisco.com/t5/network-access-control/struggling-with-aaa-authentication-using-tacacs/m-p/3679855#M25314 you have these lines:<BR />aaa authentication login no_tacacs local<BR />aaa authentication enable default group WPLG_TACACS enable<BR /><BR />So whenever you issue enable it will talk to WPLG_TACACS (if available), if not then use local enable.<BR /><BR />So if you want you can try and make your T+ server unavailable to the NAD, if it will likely work for you.<BR />or try add "none" to:<BR />aaa authentication login no_tacacs local none<BR /><BR />btw what switch/router and IOS version ? Thu, 02 Aug 2018 09:21:59 GMT https://community.cisco.com/t5/network-access-control/struggling-with-aaa-authentication-using-tacacs/m-p/3679855#M25314 mbilgrav 2018-08-02T09:21:59Z https://community.cisco.com/t5/network-access-control/struggling-with-aaa-authentication-using-tacacs/m-p/3679858#M25315 <P>bonus free tips: dont use ADMIN user, its prone to bruteforce dictionary attacks ! and change password to secret to avoid reverse hashing option of you password.<BR /><BR />username admin privilege 15 password 7 [Secret 7 hash here] - should be changed to :<BR />username somefreakysuperadminusernamenotpronetodictionaryattacks privilege 15 secret [Secretpass here]</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>and on your T+ server, create a user called admin and disable it !</P> <P>happy AAA'ing !</P> Thu, 02 Aug 2018 09:27:29 GMT https://community.cisco.com/t5/network-access-control/struggling-with-aaa-authentication-using-tacacs/m-p/3679858#M25315 mbilgrav 2018-08-02T09:27:29Z