topic Re: enable Mode authentication in Network Access Control

enable Mode authentication

wasiimcisco — Sun, 10 Mar 2019 22:50:28 GMT

I am not able to configure the enable mode authentication, I have set the ACS user password in Tacac+option tab.

and configure the device for enable mode authentication

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacasc+

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

But still after login user only able to enter in enable mode by giving locally configured password, not the password that configured in ACS.

Please help me out how to configure the device that both login and enable authentication controlled by ACS.

Re: enable Mode authentication

Jagdeep Gambhir — Mon, 12 May 2008 23:29:55 GMT

Wasim ,

This is what you need to to do.

Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

Regards,

~JG

Do rate helpful posts

Re: enable Mode authentication

wasiimcisco — Tue, 13 May 2008 10:37:56 GMT

Thanks for the reply,

I did the same thing that u asked me to do, but now user is directly going to the privilage mode, no enable authenication required and no requiring any enable password.

Though i have set the enable password in ACS user TACACS+ Enable Password.

But device is not requiring any password for enable mode. below mention is the command that i configured on the device.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacasc+

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Re: enable Mode authentication

Jagdeep Gambhir — Tue, 13 May 2008 11:40:23 GMT

Please get debug tacacs and debug aaa authentication output.

Re: enable Mode authentication

wasiimcisco — Wed, 14 May 2008 07:59:03 GMT

Kindly see attachement for debug of my device.

I applied the same configuration that you sent me and turn on the debug

debug aaa authentication

debug tacacs

but still the user is not requiring any enable password, only login username and password required.

PDC-Srv-3750-1#sh debug

General OS:

TACACS+ authentication debugging is on

AAA Authentication debugging is on

PDC-Srv-3750-1#

Re: enable Mode authentication

Jagdeep Gambhir — Wed, 14 May 2008 12:12:50 GMT

Do we have tacacs single connect enabled on acs ?

Normally if the command authorization fails due to ACS misconfig - its says

"% Command Authorization Failed".

It is a known behavior that the IOS sometimes sends requests with wrong source IP when we are using tacacs single-connect option. And since it is sending the wrong source IP, first of all ACS doesn't recognize this IP.

And we do not want directed-request either.

ACTION PLAN:

Please disable the single-connect option and change the config to:

no tacacs-server host x.x.x.x single-connection

no tacacs-server directed-request

no tacacs-server key 7 06260D2A1F575D392653

tacacs-server host x.x.x.x key 7 06260D2A1F5

ip tacacs source-interface Loopback0

Define source interface for tacacs authentication.

On router issue command,

ip tacacs source-interface fastethernet x/y , where interface would be the one mentioned in tacacs server.

If still issue is there then pls send full running config along with following debug

debug aaa authen

debug aaa author

debug tacacs

Regards,

~JG

Re: enable Mode authentication

wasiimcisco — Mon, 19 May 2008 10:24:12 GMT

sorry for the late reply, i was busy in other stuff, regarding cisco catalyst switches command authorization is working, but for cisco pix firewall, it is not working,

I wanted to apply the same command set for junior admin of firewall, that i m using for switches, but it is not working for me.

firewall only allowing full access to admin, but not allowing junior to do anything, not even show,

I have atacched the screen shots for your review and firewall aaa configuration,

TDC-INT-525-01> enable

Command authorization failed

TDC-INT-525-01> show aaa

ERROR: % Invalid input detected at '^' marker.

TDC-INT-525-01> show xlate

ERROR: % Invalid input detected at '^' marker.

TDC-INT-525-01> enable

Command authorization failed

TDC-INT-525-01>

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (edn) host 172.28.31.132

aaa-server TACACS+ (edn) host 172.28.31.133

aaa authentication ssh console TACACS+ LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+

aaa accounting command privilege 15 TACACS+

aaa accounting enable console TACACS+

Re: enable Mode authentication

Jagdeep Gambhir — Mon, 19 May 2008 14:20:27 GMT

Wasim,

I don't see enable keyword defined in the command authorization set.

Please add "enable" along with show and clear in the "command authorization setup".

That should fix it.

Regards,

~JG

Re: enable Mode authentication

wasiimcisco — Mon, 19 May 2008 17:24:05 GMT

thanks for the help, it works like a magic, now i am able to restrict the users,

Re: enable Mode authentication

wasiimcisco — Tue, 20 May 2008 12:07:01 GMT

I have pix 535, i want to configure it for ACS authentication, but problem is that, users tries to login from inside interface and ACS located on outside interface of pix firewall.

I have configured the following commands but still not able to get the authentication,

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 172.28.31.132 waridtel0321

aaa-server TACACS+ (inside) host 172.28.31.133 waridtel0321

aaa authentication ssh console TACACS+ LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+

aaa accounting command privilege 15 TACACS+

aaa accounting enable console TACACS+

same configuration is working fine for me with rest of the firewalls of my network bcz ACS and users are located on the same interface side, only this firewall is having problem.

Firewall is not having any thing like source interface like routers have.

Please help me out.