https://community.cisco.com/t5/network-access-control/en-pass-and-en-secret-with-aaa-authentication/m-p/1125173#M419204 <HTML><HEAD></HEAD><BODY><P>Mauricio</P><P></P><P>Thank you for posting back to the thread and indicating that you have solved the problem and what the solution was. It makes the forum more useful when people can read a problem and can read and find what was the cause of the problem.</P><P></P><P>The forum is a good place to learn about Cisco networking. I encourage you to continue your participation in the forum.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Tue, 14 Oct 2008 21:05:51 GMT Richard Burts 2008-10-14T21:05:51Z https://community.cisco.com/t5/network-access-control/en-pass-and-en-secret-with-aaa-authentication/m-p/1125168#M419196 <P>Hi all, </P><P></P><P>I have a question: recently I set up ACS 4.2 and configured on aaa client. Everything was working fine until one day the ACS went off-line. I was able to authenticated with the local account and go in enable mode, but when I tried to see the configuration file or do config t, I got a message basically saying that I did not have the rights to do it. I have no idea why, the only thing I can think of is that I removed the enable password from the config and left only enable secret. Does that have anything to do with the issue I experienced? </P><P></P><P>Thank you in advance!</P><P>Cheers....</P> Sun, 10 Mar 2019 23:07:21 GMT https://community.cisco.com/t5/network-access-control/en-pass-and-en-secret-with-aaa-authentication/m-p/1125168#M419196 mguzman4158 2019-03-10T23:07:21Z https://community.cisco.com/t5/network-access-control/en-pass-and-en-secret-with-aaa-authentication/m-p/1125169#M419198 <HTML><HEAD></HEAD><BODY><P>Mauricio </P><P></P><P>The symptoms that you describe sound more like a problem with the configuration of authorization. I doubt that it has anything to do with removing the enable password.</P><P></P><P>Perhaps you could post the aaa configuration (or perhaps even the complete router config) and that might help us to see that is the issue.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Mon, 06 Oct 2008 20:17:17 GMT https://community.cisco.com/t5/network-access-control/en-pass-and-en-secret-with-aaa-authentication/m-p/1125169#M419198 Richard Burts 2008-10-06T20:17:17Z https://community.cisco.com/t5/network-access-control/en-pass-and-en-secret-with-aaa-authentication/m-p/1125170#M419200 <HTML><HEAD></HEAD><BODY><P>Hi Rick,</P><P></P><P>Here it's. </P><P></P><P>enable secret 5 XXXXXXXXX</P><P>!</P><P>username XXXXX password 7 XXXXXXX</P><P>aaa new-model</P><P>aaa authentication attempts login 5</P><P>aaa authentication login default group tacacs+ local enable</P><P>aaa authorization commands 15 default group tacacs+ local if-authenticated </P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa accounting commands 15 default start-stop group tacacs+</P><P>!</P><P>aaa session-id common</P><P></P><P>tacacs-server host XXXXXXX</P><P>tacacs-server attempts 5</P><P>tacacs-server directed-request</P><P>tacacs-server key 7 XXXXXXX</P><P></P><P>line con 0</P><P> exec-timeout 20 0</P><P> password 7 XXXXXXXXXXXX</P><P>line vty 0 4</P><P> exec-timeout 20 0</P><P> password 7 XXXXXXXXXXXXXXXXXXXXX</P></BODY></HTML> Mon, 06 Oct 2008 20:22:19 GMT https://community.cisco.com/t5/network-access-control/en-pass-and-en-secret-with-aaa-authentication/m-p/1125170#M419200 mguzman4158 2008-10-06T20:22:19Z https://community.cisco.com/t5/network-access-control/en-pass-and-en-secret-with-aaa-authentication/m-p/1125171#M419202 <HTML><HEAD></HEAD><BODY><P>Mauricio </P><P></P><P>Thanks for providing the additional information. It is not clear to me whether the problem is only about showing the config and about config t or whether it is affecting any command that requires privilege access. (I am guessing that it is any command requiring privilege access) Can you tell us whether other commands that require privilege access do work in that situation (for example can you clear counters on interfaces)?</P><P></P><P>I would suggest that perhaps you try changing this:</P><P>aaa authorization commands 15 default group tacacs+ local if-authenticated </P><P>and make it this:</P><P>aaa authorization commands 15 default group tacacs+ if-authenticated </P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Tue, 07 Oct 2008 11:05:25 GMT https://community.cisco.com/t5/network-access-control/en-pass-and-en-secret-with-aaa-authentication/m-p/1125171#M419202 Richard Burts 2008-10-07T11:05:25Z https://community.cisco.com/t5/network-access-control/en-pass-and-en-secret-with-aaa-authentication/m-p/1125172#M419203 <HTML><HEAD></HEAD><BODY><P>Hi Rick,</P><P>I wanted to thank you for taking the time to help others and let you know what the problem was. The appliance was going onto a hang state, but not completely down, thus some aaa clients were still communicating with it and it wasn't letting me fully authenticated with the tacacs account or local account. In a nut shell is was a hardware issue. </P><P></P></BODY></HTML> Tue, 14 Oct 2008 00:22:50 GMT https://community.cisco.com/t5/network-access-control/en-pass-and-en-secret-with-aaa-authentication/m-p/1125172#M419203 mguzman4158 2008-10-14T00:22:50Z https://community.cisco.com/t5/network-access-control/en-pass-and-en-secret-with-aaa-authentication/m-p/1125173#M419204 <HTML><HEAD></HEAD><BODY><P>Mauricio</P><P></P><P>Thank you for posting back to the thread and indicating that you have solved the problem and what the solution was. It makes the forum more useful when people can read a problem and can read and find what was the cause of the problem.</P><P></P><P>The forum is a good place to learn about Cisco networking. I encourage you to continue your participation in the forum.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Tue, 14 Oct 2008 21:05:51 GMT https://community.cisco.com/t5/network-access-control/en-pass-and-en-secret-with-aaa-authentication/m-p/1125173#M419204 Richard Burts 2008-10-14T21:05:51Z