TACACS+ problem when going via console.

jorge.s — Sun, 10 Mar 2019 22:33:27 GMT

Hi there,

After going through some topics and trying everything I could fine I am relaying on you all to help me further.

I have an Switch and have an AAA configured for login via ACS with AD account. All works fine via Telnet, but connected to the console, I always get to not enable prompt.

I have a local user name and password on the device itself. Which I can use to login through the telnet option, and it brings me straight into enable mode. But using this account with the console it brings me to priv level 1. When typing ENABLE I can specify the password that belongs to this local account but it is not excepted. Instead I get:

Username: admin

Password:

switch>ena

Password:

% Error in authentication.

switch>

Pasted below you can find my current config regarding the login methods:

aaa new-model

aaa authentication fail-message ^C

User Authentication has failed. If you are not an authorized user,

please disconnect immediately.

Any unauthorized access attempts will be investigated and will be

subject to prosecution under local laws and ordinances.

aaa authentication login default group tacacs+ local

aaa authentication login console group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 5 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa authorization commands 15 console group tacacs+ local

aaa authorization network default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

line con 0

stopbits 1

line vty 0 4

password 7 02115C0918030C71424A1A

line vty 5 15

password 7 0718791E5D0C1A55191618

Anybody any suggestions for me to try out?

Re: TACACS+ problem when going via console.

Richard Burts — Sun, 09 Dec 2007 03:07:14 GMT

Jorge

There are a couple of aspects of your situation which I am puzzled about. Your post talks about logging in and seems to indicate that you are logging in using a local account. But the config is quite clear that TACACS is the primary authentication method. Is the TACACS server running and is the router using TACACS?

If the TACACS server is running and is communicating with the router, I am guessing that the local user ID is also a user ID that is configured in TACACS. This would explain why authentication would work. Can you clarify this? And if this is the case I would guess that the user ID is not configured in TACACS to have enable mode access.

On the possibility that the router is not communicating with the TACACS server I would suggest that you try using the enable secret (or enable password - which ever you have configured) rather than the user password at the prompt for enable mode.

The other part of your question is more clear. Your question says that when you login through vty you go straight to enable mode but on the console you go to privilege level 1. This is intentional behavior on the router. Going straight into enable mode is a function of authorization (in addition to authentication). And by default Cisco does this for vty and does not do this for the console (the danger of locking yourself out of the router if something is misconfigured is significant). If you are confident of the configuration and want to go directly into enable mode on the console you can use this (hidden) command under line con 0:

aaa authorization console

HTH

Rick

topic Re: TACACS+ problem when going via console. in Network Access Control

TACACS+ problem when going via console.

Re: TACACS+ problem when going via console.