https://community.cisco.com/t5/network-access-control/some-boxes-reference-enable-secret-some-do-not/m-p/1205558#M405400 <HTML><HEAD></HEAD><BODY><P>What you have looks good. Does everything look OK in ACS?</P></BODY></HTML> Fri, 15 May 2009 18:56:08 GMT Collin Clark 2009-05-15T18:56:08Z https://community.cisco.com/t5/network-access-control/some-boxes-reference-enable-secret-some-do-not/m-p/1205555#M405389 <P>I am working at a client site today that uses a Cisco ACS server via AAA to authenticate users. TACACS is configured and when an admin ssh's to a box on the network, the box queries TACACS which in turn queries Active Directory to authenticate the user.</P><P>We came up with a policy that would grant priveleged mode to the authenticated user, and then they would have to enter the "enable secret" password locally on the box to enter into PRIV EXEC mode.</P><P>For some reason, most of our Cisco devices work fine this way. But we have a handful that will authenticate directly to PRIV EXEC mode after TACACS authentication without prompting the admin for the enable secret password.</P><P>I have inspected the configurations on the devices that do not challenge for the enable secret, and they have the same aaa command configured on them as the ones that do challenge for the enable secret password.</P><P></P><P>Here is an example configuration:</P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ line</P><P>aaa authentication login vty-access group tacacs+ local</P><P>aaa authentication enable default enable</P><P>aaa authorization config-commands</P><P>aaa authorization exec vty-access group tacacs+ local none</P><P>aaa authorization commands 0 default group tacacs+ none</P><P>aaa authorization commands 1 default group tacacs+ none</P><P>aaa authorization commands 2 default group tacacs+ none</P><P>aaa authorization commands 3 default group tacacs+ none</P><P>aaa authorization commands 4 default group tacacs+ none</P><P>aaa authorization commands 5 default group tacacs+ none</P><P>aaa authorization commands 6 default group tacacs+ none</P><P>aaa authorization commands 7 default group tacacs+ none</P><P>aaa authorization commands 8 default group tacacs+ none</P><P>aaa authorization commands 9 default group tacacs+ none</P><P>aaa authorization commands 10 default group tacacs+ none</P><P>aaa authorization commands 11 default group tacacs+ none</P><P>aaa authorization commands 12 default group tacacs+ none</P><P>aaa authorization commands 13 default group tacacs+ none</P><P>aaa authorization commands 14 default group tacacs+ none</P><P>aaa authorization commands 15 default group tacacs+ none</P><P>aaa authorization network default group tacacs+ none</P><P></P> Sun, 10 Mar 2019 23:29:44 GMT https://community.cisco.com/t5/network-access-control/some-boxes-reference-enable-secret-some-do-not/m-p/1205555#M405389 Kevin Melton 2019-03-10T23:29:44Z https://community.cisco.com/t5/network-access-control/some-boxes-reference-enable-secret-some-do-not/m-p/1205556#M405394 <HTML><HEAD></HEAD><BODY><P>Do the VTY's have-</P><P></P><P>privilege level 15</P><P></P><P>That's typically where you get PRIV EXEC mode from.</P></BODY></HTML> Fri, 15 May 2009 14:46:59 GMT https://community.cisco.com/t5/network-access-control/some-boxes-reference-enable-secret-some-do-not/m-p/1205556#M405394 Collin Clark 2009-05-15T14:46:59Z https://community.cisco.com/t5/network-access-control/some-boxes-reference-enable-secret-some-do-not/m-p/1205557#M405396 <HTML><HEAD></HEAD><BODY><P>We have the following commands configured on our vty lines:</P><P>line vty 0 4</P><P> session-timeout 30</P><P> access-class telnet-access in</P><P> exec-timeout 15 0</P><P> authorization commands 15 vty-access</P><P> authorization exec vty-access</P><P> logging synchronous</P><P> login authentication vty-access</P><P> transport input telnet ssh</P><P>line vty 5 15</P><P> session-timeout 30</P><P> access-class telnet-access in</P><P> exec-timeout 15 0</P><P> authorization commands 15 vty-access</P><P> authorization exec vty-access</P><P> login authentication vty-access</P><P> transport input telnet ssh</P><P></P><P>we tried negating the </P><P>"authorization commands 15 vty-access" but to no avail.</P><P>At that point we were authenticating to TACACS fine and then getting prompted like we wanted. But for some reason( witnessed during debug aaa auth) we were getting password mismatches. We re-entered our enable secret password and tried again, but kept on getting password no match and then "Access Denied".</P><P>Perhaps you can help out and tell me what should be configured on the VTY lines so that it will reference the enable secret?</P><P></P><P></P></BODY></HTML> Fri, 15 May 2009 18:04:57 GMT https://community.cisco.com/t5/network-access-control/some-boxes-reference-enable-secret-some-do-not/m-p/1205557#M405396 Kevin Melton 2009-05-15T18:04:57Z https://community.cisco.com/t5/network-access-control/some-boxes-reference-enable-secret-some-do-not/m-p/1205558#M405400 <HTML><HEAD></HEAD><BODY><P>What you have looks good. Does everything look OK in ACS?</P></BODY></HTML> Fri, 15 May 2009 18:56:08 GMT https://community.cisco.com/t5/network-access-control/some-boxes-reference-enable-secret-some-do-not/m-p/1205558#M405400 Collin Clark 2009-05-15T18:56:08Z https://community.cisco.com/t5/network-access-control/some-boxes-reference-enable-secret-some-do-not/m-p/1205559#M405404 <HTML><HEAD></HEAD><BODY><P>Kevin</P><P></P><P>My guess at this point is that the issue is not on the router but is in ACS. Can you check on the configuration in ACS of a couple of the devices that put authenticated users directly into privilege mode? Do these devices have the shell exe checked (and do they give privilege level 15)?</P><P></P><P>The command on the router that works with this is the command:</P><P>aaa authorization exec vty-access group tacacs+ local none </P><P>I would suggest a slight revision of this to make it like:</P><P>aaa authorization exec vty-access group tacacs+ if-authenticated</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Fri, 15 May 2009 19:21:07 GMT https://community.cisco.com/t5/network-access-control/some-boxes-reference-enable-secret-some-do-not/m-p/1205559#M405404 Richard Burts 2009-05-15T19:21:07Z